CVE-2026-46040

In the Linux kernel, the following vulnerability has been resolved:

inotify: fix watch count leak when fsnotify add inode mark locked() fails

When fsnotify add inode mark locked() fails in inotify new watch(), the error path calls inotify remove from idr() but does not call dec inotify watches() to undo the preceding inc inotify watches(). This leaks a watch count, and repeated failures can exhaust the max user watches limit with -ENOSPC even when no watches are active.

Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify add mark locked() succeeded, so this path was not affected. The conversion moved inc inotify watches() before the mark insertion without adding the corresponding rollback.

Add the missing dec inotify watches() call in the error path.