HOMEVULNERABILITIESCVE-2026-52990
NONE

CVE-2026-52990

Published: June 24, 2026· Updated: Jun 24, 2026

EPSS:0.18%probability of exploitation in 30 daysPercentile:7.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

fsnotify: fix inode reference leak in fsnotify_recalc_mask()

fsnotify_recalc_mask() fails to handle the return value of

__fsnotify_recalc_mask(), which may return an inode pointer that needs

to be released via fsnotify_drop_object() when the connector's HAS_IREF

flag transitions from set to cleared.

This manifests as a hung task with the following call trace:

INFO: task umount:1234 blocked for more than 120 seconds.

Call Trace:

__schedule

schedule

fsnotify_sb_delete

generic_shutdown_super

kill_anon_super

cleanup_mnt

task_work_run

do_exit

do_group_exit

The race window that triggers the iref leak:

Thread A (adding mark) Thread B (removing mark)

────────────────────── ────────────────────────

fsnotify_add_mark_locked():

fsnotify_add_mark_list():

spin_lock(conn->lock)

add mark_B(evictable) to list

spin_unlock(conn->lock)

return

/* ---- gap: no lock held ---- */

fsnotify_detach_mark(mark_A):

spin_lock(mark_A->lock)

clear ATTACHED flag on mark_A

spin_unlock(mark_A->lock)

fsnotify_put_mark(mark_A)

fsnotify_recalc_mask():

spin_lock(conn->lock)

__fsnotify_recalc_mask():

/* mark_A skipped: ATTACHED cleared */

/* only mark_B(evictable) remains */

want_iref = false

has_iref = true /* not yet cleared */

-> HAS_IREF transitions true -> false

-> returns inode pointer

spin_unlock(conn->lock)

/* BUG: return value discarded!

* iput() and fsnotify_put_sb_watched_objects()

* are never called */

Fix this by deferring the transition true -> false of HAS_IREF flag from

fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B).

NVD Source

Technical Analysis

CVE-2026-52990 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-52990
SeverityNONE
CISA KEVNo
EPSS (30d)0.18%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-52990 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.