New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access
Cybersecurity NewsArchived May 28, 2026✓ Full text saved
A newly disclosed Linux local privilege escalation (LPE) vulnerability dubbed “CIFSwitch” enables low-privileged users to gain root access by abusing a logic flaw between the Linux kernel CIFS client and the userspace cifs-utils package. The bug was discovered by security researcher Asim Manizada, who has published a detailed technical write-up and PoC to help defenders assess their exposure […] The post New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access
By Abinaya
May 28, 2026
A newly disclosed Linux local privilege escalation (LPE) vulnerability dubbed “CIFSwitch” enables low-privileged users to gain root access by abusing a logic flaw between the Linux kernel CIFS client and the userspace cifs-utils package.
The bug was discovered by security researcher Asim Manizada, who has published a detailed technical write-up and PoC to help defenders assess their exposure and validate patches.
The issue stems from improper validation of key descriptions in the CIFs.Spnego key type, allowing unprivileged users to impersonate trusted kernel requests and trigger privileged operations.
Linux CIFSwitch Kernel Vulnerability
The vulnerability was found using an AI-assisted, multihop reasoning approach that builds and walks semantic graphs of security-relevant objects and flows, enabling the chaining of subtle logic flaws into a practical exploit.
The advisory was disclosed after an embargo coordinated with Linux distributions, and upstream kernel patches are already available.
CIFS/SMB is a widely used Windows-style network filesystem protocol on Linux. In this architecture, the kernel CIFS client handles core filesystem operations.
At the same time, Kerberos/SPNEGO authentication is delegated to a root-privileged userspace helper, cifs—upcall, provided by cifs-utils.
The interaction uses Linux keyrings: the kernel calls request_key() for CIFS. spnego key, passing a trusted description string that encodes parameters such as server, UID, credential UID, PID, and namespace target.
The /sbin/request-key policy then launches cifs—upcall as root to process that request.
Manizada’s research showed that the kernel did not verify whether the cifs.The SPnego key description actually originated from the CIFS subsystem before being treated as trusted.
This omission allows any unprivileged process to directly invoke request_key(“cifs.spnego”, <crafted_description>, …).
Because the key type is cifs, spnego, the default request-key rule still spawns cifs. Upcall as root, even though the description is fully attacker-controlled.
The exploit chain hinges on two elements in that forged description: pid and upcall_target.
By setting upcall_target=app and supplying a malicious pid, the attacker causes cifs. Upcall to switch into the namespaces of the attacker-controlled process before it performs NSS-based account lookups and finally drops privileges.
Inside this attacker-controlled mount namespace, a rogue nsswitch.conf and malicious libnss_*.so.2 can be planted so that a root-privileged NSS lookup loads and executes arbitrary code.
In Manizada’s PoC, the malicious NSS module writes an entry into /etc/sudoers.d, granting the attacker effective root access.
The underlying kernel bug traces back to 2007. However, successful exploitation requires several conditions:
A vulnerable kernel, a compatible cifs-utils version (notably 6.14+ or older builds with backported changes), and unprivileged user namespace creation.
Linux Security Module (LSM) policies such as SELinux or AppArmor that do not block the attack path.
Testing shows that many mainstream distributions are exploitable out of the box when cifs-utils is present. In contrast, others are only exploitable after installing cifs-utils or relaxing default LSM policies.
The upstream kernel fix adds a vet_description hook for the cifs. SPNEGO key type, ensuring descriptions are accepted only when the request is made under the CIFS client’s internal spnego_cred, effectively blocking unprivileged userspace from masquerading as the kernel.
Further hardening is recommended in cifs-utils so that cifs. Upcall does not unquestioningly trust key descriptions as originating from the kernel.
Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.
Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation
New BTMOB Malware Lets Attackers Remotely Control Android Devices
Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks
Phishing Services Use RCS and iMessage to Bypass Traditional SMS Security Filters
How Top CISOs Increase Risk Visibility for Zero Critical Incidents
Latest News
Cyber Security News
VaultJacking Attack Steals Entire Google Password Manager Vault With One Captured PIN
Cyber Security News
AI-Generated npm Malware Accidentally Exposes Threat Actor’s Private GitHub Token
Cyber Security News
Claude Opus 4.8 Released With Ability to Work as an Experienced Engineer
Cyber Security
New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely
Cyber Security
Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands