CVE-2025-68788
Description
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: do not generate ACCESS/MODIFY events on child for special files
inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel fsnotify now suppresses ACCESS/MODIFY events for special files to prevent side-channel information leaks.
Root
Cause
The vulnerability stems from the fsnotify subsystem in the Linux kernel, which was generating ACCESS and MODIFY events for child special files (e.g., /dev/null) even when the watching user lacks read access to the file itself. While inotify and fanotify enforce permissions on direct file watches, they allowed users with read access to the parent directory to monitor children for file events. For regular files, users could indirectly infer access/modification via atime/mtime stat calls, but special files do not generally exhibit such timestamp changes. The inconsistency created a side-channel where event notifications could leak information about file accesses not otherwise observable.
Exploitation
An attacker with read access to a parent directory (e.g., /dev) but no read access to a special file (e.g., /dev/null) could subscribe to events on that directory and observe ACCESS/MODIFY events generated when other users read from or write to the special file. This attack does not require elevated privileges beyond normal file-system access. The issue was identified in research on file notification attacks [as noted in a published paper], and this patch closes that information leak.
Impact
By exploiting this side-channel, an attacker can infer when other processes or users interact with special files, potentially leaking sensitive information such as timing of operations or usage patterns. The impact is primarily information disclosure, which could aid in further attacks or surveillance.
Mitigation
The fix has been backported to multiple stable kernel trees via commits [1], [2], and [3]. Users are advised to update their Linux kernel to include these patches. There is no workaround short of applying the patch or restricting access to parent directories of special files.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ffnvd
- git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91nvd
- git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6nvd
- git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900nvd
- git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8nvd
- git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443canvd
- git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81nvd
News mentions
0No linked articles in our index yet.