CVE-2026-46150 Overview
CVE-2026-46150 is a Linux kernel vulnerability in the fanotify file access notification subsystem. The flaw resides in how fsnotify_get_mark_safe() handles marks belonging to unrelated notification groups. When the function evaluates a mark on an unrelated group, it can return false and cause the kernel to skip the permission check entirely. The result is a false positive on permission events that bypasses the intended access control logic in fanotify. The upstream fix skips over detached marks that are not in the current group, restoring correct permission enforcement.
Critical Impact
A logic error in fanotify permission handling allows the kernel to bypass permission checks under specific conditions involving marks on unrelated notification groups.
Affected Products
- Linux kernel (mainline and stable branches containing the fanotify permission event code path)
- Distributions shipping vulnerable kernel versions prior to applying the upstream commits
- Systems using fanotify permission events for access control or anti-malware integrations
Discovery Timeline
- 2026-05-28 - CVE-2026-46150 published to the National Vulnerability Database (NVD)
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46150
Vulnerability Analysis
The fanotify subsystem in the Linux kernel provides file access notification and supports permission events that allow user-space agents to allow or deny file operations. Permission events are commonly used by anti-malware, sandboxing, and access control tooling. Correct enforcement depends on the kernel evaluating every relevant mark before permitting an operation.
The vulnerability stems from incorrect handling inside fsnotify_get_mark_safe(). The helper may return false when a mark belongs to a notification group unrelated to the one currently being evaluated. The calling code treats this false result as an indication that no permission check is needed and proceeds without enforcement. This produces a false positive on permission events and bypasses the permission check that should have been applied to marks owned by the current group.
Root Cause
The root cause is a logic error in mark traversal. fsnotify_get_mark_safe() does not correctly distinguish between detached marks and marks belonging to other groups. When it encounters a mark on an unrelated group, it short-circuits in a way that causes the permission check to be skipped rather than continuing to the next relevant mark. This is a kernel-level logic flaw in file system notification handling.
Attack Vector
Exploitation requires local conditions where a process triggers file operations covered by a fanotify permission listener while marks from multiple groups are present. The CVE record does not assign a CVSS vector, and no public proof-of-concept exploit is referenced. The practical impact is that security tooling relying on fanotify permission events may fail to block operations it was configured to deny, weakening enforcement on affected hosts.
The fix is published across the following upstream commits: Linux Kernel Commit 7746e3b, Linux Kernel Commit 7baa02b0, Linux Kernel Commit 895ebbed, Linux Kernel Commit b7b24b28, and Linux Kernel Commit f130790f.
Detection Methods for CVE-2026-46150
Indicators of Compromise
- No file-based or network indicators are associated with this kernel logic flaw. The bug manifests as missing permission denials rather than artifacts on disk.
- Unexpected file operations succeeding despite an active fanotify permission listener configured to deny them.
- Gaps in audit or anti-malware logs where a corresponding FAN_ACCESS_PERM or FAN_OPEN_PERM decision was expected but absent.
Detection Strategies
- Inventory running kernels with uname -r and compare against fixed versions referenced in distribution security advisories tracking the upstream commits.
- Audit user-space agents that depend on fanotify permission events and verify enforcement with controlled test cases that exercise multi-group mark scenarios.
- Correlate process file access telemetry against the decisions returned by fanotify listeners to identify discrepancies.
Monitoring Recommendations
- Monitor kernel package versions across the fleet and alert when hosts run kernels predating the fix commits.
- Track health and decision counts of any fanotify permission listener service to spot unexpected drops in deny events.
- Review distribution advisories for backported fixes and validate that long-term support kernels include the patch.
How to Mitigate CVE-2026-46150
Immediate Actions Required
- Identify all Linux hosts running kernels that include the vulnerable fanotify permission handling code path.
- Apply the kernel update from your distribution vendor as soon as a fixed package is available, then reboot affected systems.
- Reassess any security control that relies solely on fanotify permission events and add compensating controls where feasible.
Patch Information
The issue is resolved upstream by skipping detached marks that are not in the current group inside fsnotify_get_mark_safe(). The fix is distributed across five commits on the stable tree: 7746e3b, 7baa02b0, 895ebbed, b7b24b28, and f130790f. Install the kernel package provided by your Linux distribution that includes these changes.
Workarounds
- No supported workaround replaces patching. The fix is a kernel logic correction and cannot be reproduced through configuration changes.
- Where patching is delayed, reduce reliance on fanotify permission events as the sole enforcement mechanism and layer additional access controls such as Linux Security Modules (SELinux, AppArmor) or mandatory access control policies.
- Restrict local access on multi-tenant systems to limit which users can trigger file operations against listeners while the patch is pending.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
