In the Linux kernel, the following vulnerability has been resolved:
inotify: fix watch count leak when fsnotifyaddinodemarklocked() fails
When fsnotifyaddinodemarklocked() fails in inotifynewwatch(), the error path calls inotifyremovefromidr() but does not call decinotifywatches() to undo the preceding incinotifywatches(). This leaks a watch count, and repeated failures can exhaust the maxuser_watches limit with -ENOSPC even when no watches are active.
Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotifyaddmarklocked() succeeded, so this path was not affected. The conversion moved incinotify_watches() before the mark insertion without adding the corresponding rollback.
Add the missing decinotifywatches() call in the error path.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46040.json"
}