HIGH 7.1

CVE-2026-46150

A flaw in the Linux kernel's fanotify file monitoring subsystem can allow a local user with minimal privileges to bypass permission checks on file access events. The vulnerability stems from a logic error where the kernel incorrectly returns false for marks belonging to unrelated monitoring groups, causing permission event validation to be skipped. An attacker with local access could exploit this to circumvent intended file access restrictions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: fanotify: fix false positive on permission events fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check. Fix by skipping over detached marks that are not in the current group.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46150 is a logic error in the Linux kernel's fanotify permission event handling. The fsnotify_get_mark_safe() function may return false for a mark associated with an unrelated notification group, allowing subsequent permission checks to be bypassed. The fix involves properly skipping detached marks that do not belong to the current group before proceeding with permission event validation. This prevents the premature exit from permission check logic and closes the window for unauthorized file access.

Business impact

Organizations running Linux systems face the risk of local privilege escalation and unauthorized file access. A local user could bypass file access monitoring and permissions, potentially allowing unauthorized data access, modification, or exfiltration. This is particularly concerning in multi-tenant environments, containerized deployments, and systems where fanotify is used to enforce file access policies. The impact is heightened in regulated environments where file access controls are critical compliance requirements.

Affected systems

The Linux kernel is affected by this vulnerability. All kernel versions prior to the fix are potentially vulnerable. Organizations should check their running kernel versions against vendor advisories to determine exposure. Both enterprise and community Linux distributions that include vulnerable kernel versions require patching.

Exploitability

Exploitation requires local access to the affected system; remote exploitation is not possible. The vulnerability requires the attacker to have local user privileges (PR:L per CVSS vector), making it suitable for insider threat scenarios or post-compromise lateral movement. The straightforward nature of the logic error suggests active exploitation is plausible once the vulnerability is widely understood.

Remediation

Apply the latest Linux kernel update from your distribution vendor that includes the fanotify permission event handling fix. Kernel updates typically address this through security patches released in maintenance kernels. Verify the applied kernel version contains the commit that corrects fsnotify_get_mark_safe() behavior for cross-group mark detection.

Patch guidance

Monitor your Linux distribution's security advisory channels for kernel updates addressing fanotify. Most major distributions (Ubuntu, Red Hat, Debian, SUSE, etc.) release kernel updates through their standard patch mechanisms. Prioritize applying updates to systems where fanotify is actively used for file access monitoring. Test updates in non-production environments first to ensure compatibility with your monitoring and security tools before broad deployment.

Detection guidance

Review audit logs and system call traces for unexpected fanotify permission event denials or bypasses on protected files. Monitor for local user activity involving file access to sensitive locations immediately after updates or configuration changes. Correlate fanotify event logs with unauthorized file access incidents. Organizations using EDR or kernel-level monitoring tools should review logs for permission bypass patterns around fanotify-protected resources.

Why prioritize this

This vulnerability merits rapid patching due to its HIGH CVSS score (7.1) and local privilege escalation potential. The logic error in permission event handling directly undermines file access control enforcement, which is critical in security-hardened systems. While exploitation requires local access, the ease of exploitation and the sensitivity of the affected subsystem justify priority treatment in patch management workflows.

Risk score, explained

The CVSS v3.1 score of 7.1 (HIGH) reflects high impact on confidentiality and integrity through local privilege escalation (C:H, I:H) with relatively low attack complexity (AV:L, AC:L, PR:L). The absence of availability impact is noted. The score appropriately reflects the serious nature of bypassing file access permission checks while acknowledging the local access prerequisite.

Frequently asked questions

Does this vulnerability allow remote code execution or remote access?

No. The vulnerability is local-only (AV:L) and requires an attacker to already have local user access to the system. Remote exploitation is not possible.

Will my system be vulnerable immediately after the kernel update?

No. Once you apply the kernel update containing the fix and reboot (if required by your distribution), the fanotify permission event handling will be corrected. Ensure your system's kernel version matches the patched release from your vendor.

How does this affect container security?

In containerized environments, this could allow a container process to bypass fanotify-based file access controls that would normally be enforced by the host kernel. Organizations using fanotify for container runtime security or policy enforcement should prioritize patching to maintain isolation boundaries.

Should I disable fanotify if I cannot patch immediately?

Disabling fanotify will prevent its use for file monitoring, but may break security tools or applications that depend on it. The better approach is to prioritize patching. If you must delay patching, carefully review which applications or security controls depend on fanotify and assess the risk accordingly.

This analysis is provided for informational purposes based on publicly disclosed vulnerability data. No exploit code or weaponized proof-of-concept is included or implied. Organizations should verify patch availability and compatibility through official vendor advisories before deployment. Testing in non-production environments is strongly recommended. This vulnerability requires local access and does not enable remote exploitation. Always consult your distribution's security advisory for specific patch version numbers and deployment guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10009HIGH

    CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance

  • CVE-2026-10012HIGH

    CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)

  • CVE-2026-10013HIGH

    CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment