HIGH
fanotify Permission Bypass
CVE-2026-46150
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: fanotify: fix false positive on permission events fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check. Fix by skipping over detached marks that are not in the current group.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can bypass fanotify permission checks, potentially accessing files that should be blocked by security policies. This affects systems using fanotify for access control, such as antivirus scanners or data loss prevention tools.
Vulnerability analysis
The vulnerability occurs in fsnotify_prepare_user_wait() where fsnotify_get_mark_safe() incorrectly returns false for marks belonging to unrelated groups, causing the permission check logic to fail and bypass security controls. The original code treated any failure to get a mark reference as a fatal error, but marks from other groups naturally fail this check during normal operation. The fix adds group validation to skip over detached marks that don't belong to the current group, ensuring permission checks are only bypassed for legitimate failures within the target group. This is locally exploitable by any user who can trigger file access events monitored by fanotify.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | a24765332e12 |
| 5.15 | 5.15.209 | 4a7611ad6537 |
| 6.1 | 6.1.175 | 04bb66be92f4 |
| 6.12 | 6.12.88 | f130790f1acc |
| 6.18 | 6.18.30 | 7baa02b0ae9d |
| 6.6 | 6.6.140 | 895ebbedf883 |
| 7.0 | 7.0.7 | b7b24b28c8cd |
| mainline | 7.1-rc2 | 7746e3bd4cc1 |