top of page
perceptive_background_267k.jpg

New CIFSwitch Linux flaw gives root on multiple distributions

Published:

30 May 2026 at 14:16:08

Alert date:

30 May 2026 at 15:00:48

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Zero-Day Vulnerabilities

A newly discovered local privilege escalation vulnerability dubbed 'CIFSwitch' affects the Linux kernel, allowing attackers to forge CIFS authentication key descriptions and abuse the kernel's key request mechanism to gain root privileges. The vulnerability impacts multiple Linux distributions and represents a significant security risk for systems using CIFS file sharing. This flaw enables local attackers to escalate their privileges to root level, potentially compromising the entire system. The vulnerability appears to be related to improper handling of CIFS authentication mechanisms within the Linux kernel.

Technical details

CIFSwitch is a local privilege escalation vulnerability in the Linux kernel's CIFS subsystem that allows attackers to forge CIFS authentication key descriptions and abuse the kernel's key request mechanism. The flaw exists because the Linux kernel's CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client. An unprivileged user can create a forged cifs.spnego request and trigger the normal authentication workflow. The root-privileged cifs.upcall helper trusts attacker-controlled fields that it assumes were generated by the kernel. By abusing these fields to force a namespace switch and triggering a Name Service Switch (NSS) lookup before privileges are dropped, a local attacker can load a malicious NSS module and achieve root code execution. The vulnerability was introduced 19 years ago in 2007.

Mitigation steps:

Apply kernel patches that add validation of cifs.spnego request origins (upstream commit 3da1fdf)
Disable or blacklist the CIFS module if unused
Remove the cifs-utils package if unnecessary
Disable unprivileged user namespaces
Use proof-of-concept exploit to validate effectiveness of applied patches and mitigations
Ensure SELinux/AppArmor policies are configured to block the attack

Affected products:

Linux kernel CIFS subsystem
cifs-utils versions 6.14 and higher
Linux Mint 21.3 / 22.3
CentOS Stream 9
Rocky Linux 9
AlmaLinux 9
Kali Linux 2021.4–2026.1
SLES 15 SP7
Ubuntu (various versions with cifs-utils installed)
Debian (various versions with cifs-utils installed)
Pop!_OS (various versions with cifs-utils installed)
openSUSE (various versions with cifs-utils installed)
Oracle Linux (various versions with cifs-utils installed)
Amazon Linux (various versions with cifs-utils installed)

Related links:

https://heyitsas.im/posts/cifswitch/
https://github.com/torvalds/linux/blame/7ad785927d9eb348adb381d168ed73d0dd3c7670/fs/smb/client/cifs_spnego.c
https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2
http://github.com/manizada/CIFSwitch

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page