New CIFSwitch Linux flaw gives root on multiple distributions

News

Featured
Latest

California AG sues 23andMe over 2023 breach exposing health data

US charges Google security engineer with Polymarket insider trading

Charter Communications data breach affects 4.9 million accounts

GreyVibe hackers use ChatGPT, Gemini to power cyberattacks

New CIFSwitch Linux flaw gives root on multiple distributions

One more day to grab AdGuard’s VPN + ad blocker package for just $40

ChatGPT share links abused to host fake outage pages to deliver malware

California AG sues 23andMe over 2023 breach exposing health data

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityNew CIFSwitch Linux flaw gives root on multiple distributions

New CIFSwitch Linux flaw gives root on multiple distributions

By Bill Toulas

May 30, 2026
10:16 AM
0

A newly discovered local privilege escalation vulnerability dubbed 'CIFSwitch' in the Linux kernel could allow attackers to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges.
The issue impacts multiple Linux distributions that ship vulnerable combinations of the kernel CIFS and cifs-utils (versions 6.14 and higher, although some older variants are also affected).
CIFS (Common Internet File System) is a networking protocol that allows access to files, folders, and devices across a local network. Linux uses it to mount, read, and write data from remote systems.
If a CIFS network share uses Kerberos for authentication, the Linux kernel asks a helper program in user space to perform authentication, with the cifs-utils collection of user-space tools serving as the intermediary.
"The kernel requests a cifs.spnego-type key, and the normal keyutils/request-key config runs cifs.upcall as root to fetch or build the Kerberos/SPNEGO material," explains Asim Viladi Oglu Manizada, a SpaceX security engineer who discovered and named the CIFSwitch privilege escalation vulnerability in Linux.
The researcher says that the problem consists of the Linux kernel's CIFS subsystem failing to verify that cifs.spnego key requests originate from the kernel's CIFS client.
As a result, an unprivileged user can create a forged cifs.spnego request and trigger the normal authentication workflow.
A cifs.spnego key request is used by the Linux keyring subsystem to obtain authentication data needed by the CIFS/SMB client when connecting to a network share using Kerberos/SPNEGO authentication.
The flaw allows the root-privileged cifs.upcall helper to trust attacker-controlled fields that it assumes were generated by the kernel.
By abusing these fields to force a namespace switch and then triggering a Name Service Switch (NSS) lookup before privileges are dropped, a local attacker can load a malicious NSS module and achieve root code execution.
Manizada has published an extensive technical report explaining the cause of the issue and how it can be leveraged to achieve root privileges.
Impact, fixes, and the exploit
Manizada says that CIFSwitch was introduced 19 years ago, in 2007. He adds that it is "non-universal" and exploiting it depends on several factors, such as a vulnerable kernel version.
Other prerequisites include a vulnerable cifs-utils version, the availability of user namespaces, and SELinux/AppArmor policies that don't block the attack.
Some distributions Manizada confirms as vulnerable with their default configurations are:
Linux Mint 21.3 / 22.3
CentOS Stream 9
Rocky Linux 9
AlmaLinux 9
Kali Linux 2021.4–2026.1
SLES 15 SP7
The researcher noted that various Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux versions might also be vulnerable if ‘cifs-utils’ is installed.
However, there are also versions such as Ubuntu 26.04, Fedora 40-44, CentOS Stream 10, Rocky Linux 10, SLES 16, AlmaLinux 10, and openSUSE Leap 16, where the default SELinux/AppArmor settings prevent exploitation of CIFSwitch.
Also, Amazon Linux 2 and Kali Linux 2019.4 and 2020.4 are not affected at all, as their cifs-utils versions lack the namespace-switch functionality.
CIFSwitch has been fixed by a kernel patch that adds validation of cifs.spnego request origins (upstream commit 3da1fdf), but the exact kernel versions that ship that patch vary per distribution.
The researcher recommends that users disable or blacklist the CIFS module if unused, remove the cifs-utils package if unnecessary, and disable unprivileged user namespaces.
Manizada published a proof-of-concept (PoC) exploit for CIFSwitch, which can help organizations validate the effectiveness of the applied patches and mitigations.
CIFSwitch is the latest in a series of privilege-elevation flaws impacting Linux systems that were recently disclosed, including ‘Copy Fail,’ ‘Dirty Frag,’ ‘Fragnesia,’ ‘DirtyDecrypt,’ and ‘PinTheft.’

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
New Linux ‘Copy Fail’ flaw gives hackers root on major distrosNew ‘Pack2TheRoot’ flaw gives hackers root Linux accessDisgruntled researcher leaks “BlueHammer” Windows zero-day exploitExploit released for new PinTheft Arch Linux root escalation flawWindows BitLocker zero-day gives access to protected drives, PoC released

CIFSwitch
Linux
Local Privilege Escalation
LPE
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

  Upcoming Webinar

Popular Stories

ChatGPT share links abused to host fake outage pages to deliver malware

Windows 11 KB5089573 update released with performance improvements

Anthropic confirms Claude Mythos-class models will roll out to the public

Sponsor Posts

33% Rise in Healthcare Credential Theft in 2025: What you need to know

AI is a data-breach time bomb: Read the new report

Overdue a password health-check? Audit your Active Directory for free

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

A newly discovered local privilege escalation vulnerability in the Linux kernel, dubbed CIFSwitch, presents a critical security risk by potentially allowing attackers to gain root privileges across multiple distributions. This flaw arises from a defect in the Linux kernel's CIFS subsystem, specifically its failure to properly verify the origins of cifs.spnego key requests originating from the kernel's CIFS client. As reported by Bill Toulas, this vulnerability became known by the researcher who discovered it, and the exploitation depends on a combination of factors including vulnerable kernel versions, the presence of vulnerable cifs-utils, the availability of user namespaces, and permissive SELinux or AppArmor policies.

The mechanism by which this privilege escalation occurs is complex. CIFS is a networking protocol used in Linux for accessing files and devices across a local network. When Kerberos/SPNEGO authentication is used, the kernel requests authentication material via helper programs, utilizing the cifs-utils collection of user-space tools as intermediaries. The flaw allows an unprivileged user to forge a cifs.spnego request, which is then trusted by the root-privileged cifs.upcall helper. By abusing these trusted fields, an attacker can force a namespace switch and trigger a Name Service Switch (NSS) lookup before privileges are dropped. This sequence enables the attacker to load a malicious NSS module, ultimately achieving root code execution.

The vulnerability is not universal; its exploitability is conditional on several factors. Systems running vulnerable combinations of the kernel CIFS and cifs-utils, typically versions 6.14 and higher, are affected. Bill Toulas noted that while several distributions, including Linux Mint, CentOS Stream, Rocky Linux, AlmaLinux, and Kali Linux, are confirmed as vulnerable under default configurations, other distributions like Ubuntu, Debian, and others might also be vulnerable if cifs-utils is installed. However, certain distributions and specific versions, such as Ubuntu 26.04, Fedora 40-44, CentOS Stream 10, and specific AlmaLinux/SLES versions, are mitigated because their default SELinux or AppArmor settings prevent exploitation. Furthermore, systems like Amazon Linux 2 and specific Kali Linux versions are unaffected because their cifs-utils versions lack the necessary namespace-switch functionality.

The vulnerability was addressed by a kernel patch that introduces validation for the origins of cifs.spnego requests, corresponding to upstream commit 3da1fdf. Despite the patch, Bill Toulas recommends proactive defensive measures for users. These mitigation strategies include disabling or blacklisting the CIFS module if it is not in use, removing the cifs-utils package if it is unnecessary for system functionality, and disabling unprivileged user namespaces to reduce the attack surface. The researcher has also provided a proof-of-concept exploit to assist organizations in validating the effectiveness of applied patches and mitigations. CIFSwitch is one of a series of privilege-elevation flaws affecting Linux systems disclosed recently, including Copy Fail, Dirty Frag, and PinTheft.