CIFSwitch Linux – A newly discovered Linux kernel privilege-escalation flaw dubbed “CIFSwitch” can let unprivileged users forge CIFS Kerberos key requests and, through a chain of kernel-to-user-space trust, load a malicious Name Service Switch module to execute root code. Resea
On a Linux system, the path from a “normal” user account to full root control is usually blocked by layers of checks. CIFSwitch turns that assumption into a headache: it exploits how the Linux CIFS networking subsystem hands authentication work to a user-space helper running as root.
The vulnerability, dubbed “CIFSwitch,” is a local privilege escalation issue in the Linux kernel that could allow attackers to forge CIFS authentication key descriptions, abuse the kernel’s key request mechanism, and gain root privileges.
It affects multiple Linux distributions that ship vulnerable combinations of the kernel CIFS and cifs-utils. with cifs-utils versions 6.14 and higher flagged as part of the risk (though some older variants are also affected). CIFS. or Common Internet File System. is the networking protocol Linux uses to mount. read. and write data from remote systems.
When a CIFS network share uses Kerberos for authentication, the Linux kernel doesn’t perform the whole exchange itself. Instead, it asks a helper program in user space to do the authentication. In that workflow, the cifs-utils collection of user-space tools acts as the intermediary.
“The kernel requests a cifs.spnego-type key. and the normal keyutils/request-key config runs cifs.upcall as root to fetch or build the Kerberos/SPNEGO material. ” explained Asim Viladi Oglu Manizada. a SpaceX security engineer who discovered and named the CIFSwitch privilege escalation vulnerability in Linux.
The core failure, Manizada said, is that the Linux kernel’s CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel’s CIFS client. That opens a door for an unprivileged user to create a forged cifs.spnego request and trigger the normal authentication workflow.
A cifs.spnego key request is used by the Linux keyring subsystem to obtain authentication data needed by the CIFS/SMB client when connecting to a network share using Kerberos/SPNEGO authentication. The flaw’s danger comes from how the root-privileged cifs.upcall helper handles the request details: it ends up trusting attacker-controlled fields that it assumes were generated by the kernel.
Manizada describes a method to weaponize that trust. An attacker can abuse these fields to force a namespace switch, then trigger a Name Service Switch (NSS) lookup before privileges are dropped. That timing gap can allow the attacker to load a malicious NSS module and achieve root code execution.
Manizada has published an extensive technical report detailing both the cause and the leverage path to root.
CIFSwitch has been around far longer than most people will guess—introduced 19 years ago in 2007. But Manizada stressed it is “non-universal,” meaning exploitation depends on several factors, including the vulnerable kernel version.
Other prerequisites include a vulnerable cifs-utils version, the availability of user namespaces, and SELinux/AppArmor policies that don’t block the attack.
Manizada confirmed the following distributions as vulnerable with their default configurations:
Linux Mint 21.3 / 22.3
CentOS Stream 9
Rocky Linux 9
AlmaLinux 9
Kali Linux 2021.4–2026.1
SLES 15 SP7
He also noted that various Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux versions might be vulnerable if ‘cifs-utils’ is installed.
Not every system with the same general components is necessarily exposed, though. Manizada pointed to versions where default SELinux/AppArmor settings prevent exploitation of CIFSwitch: Ubuntu 26.04, Fedora 40-44, CentOS Stream 10, Rocky Linux 10, SLES 16, AlmaLinux 10, and openSUSE Leap 16.
Some environments appear unaffected entirely. Amazon Linux 2 and Kali Linux 2019.4 and 2020.4 are not affected at all, Manizada said, because their cifs-utils versions lack the namespace-switch functionality.
A kernel patch addresses the problem by adding validation of cifs.spnego request origins, tied to upstream commit 3da1fdf. The exact kernel versions that include that patch vary by distribution.
Manizada’s practical recommendations reflect the attack chain: disable or blacklist the CIFS module if it’s unused, remove the cifs-utils package if it’s unnecessary, and disable unprivileged user namespaces.
To help organizations check whether the installed fixes and mitigations actually hold, Manizada also published a proof-of-concept (PoC) exploit for CIFSwitch. The PoC can be used to validate patch effectiveness and the impact of mitigations.
CIFSwitch is the latest addition to a growing set of privilege-elevation flaws disclosed for Linux systems in recent reporting, including ‘Copy Fail,’ ‘Dirty Frag,’ ‘Fragnesia,’ ‘DirtyDecrypt,’ and ‘PinTheft.’
CIFSwitch Linux kernel vulnerability local privilege escalation CIFS Kerberos SPNEGO cifs-utils cifs.upcall keyutils keyring subsystem NSS SELinux AppArmor user namespaces proof of concept cybersecurity