CVE-2025-68788

fsnotify: do not generate ACCESS/MODIFY events on child for special files

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf

In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bookworm), these problems have been fixed in version 6.1.162-1.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-12-24 CVE Reserved
2026-01-13 CVE Published
2026-02-09 CVE Updated
2026-03-22 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/72acc854427948efed7a83da27f7dc3239ac9afc	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca	2026-01-19
https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8	2026-01-19
https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91	2026-01-11
https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81	2026-01-11
https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900	2026-01-08
https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6	2026-01-02
https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff	2025-12-15

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.36 < 5.10.248 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.36 < 5.10.248"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.36 < 5.15.198 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.36 < 5.15.198"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.36 < 6.1.160 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.36 < 6.1.160"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.36 < 6.6.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.36 < 6.6.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.36 < 6.12.64 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.36 < 6.12.64"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.36 < 6.18.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.36 < 6.18.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.36 < 6.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.36 < 6.19"		en		Affected