CIFSwitch: 19-Year-Old Linux Flaw Grants Root Access

CIFSwitch is the name of the new local privilege escalation vulnerability on Linux. What are the risks linked to this security flaw, which has been present in the code for 19 years? Here’s what you need to know.

The bad streak continues for the Linux kernel. After Copy Fail, Dirty Frag, Dirty Decrypt or even Fragnesia, let’s discover CIFSwitch.

What is the CIFSwitch vulnerability?

This vulnerability is directly related to the Linux kernel and the CIFS (Common Internet File System) protocol, notably because the cifs-utils package must be present on the machine for exploitation to be possible. As a reminder, CIFS is a dialect of the SMB protocol. It is therefore used to read and write data on remote network shares.

The security issue associated with the CIFSwitch flaw occurs when Kerberos authentication must be performed to mount a network share via CIFS (SMB). In this case, the Linux kernel calls on a helper tool directly in user space and accessible through cifs-utils.

"The kernel requests a key of type cifs.spnego, and the normal keyutils/request-key configuration runs cifs.upcall as root to retrieve or build the Kerberos/SPNEGO material.", explains Asim Viladi Oglu Manizada, the researcher behind this discovery.

That is when the CIFS subsystem of the Linux kernel fails to check whether cifs.spnego key requests actually come from the kernel’s CIFS client itself. As a result, there is an opportunity for a local attacker: by being unprivileged (a standard user), they can forge a fake cifs.spnego request and trigger the normal authentication process.

The cifs.upcall helper tool, running with root privileges, then blindly trusts attacker-controlled fields. The researcher explains that the attacker can then switch namespaces and trigger an NSS lookup to execute code with root permissions.

"At this stage, libnss_pwn.so.2 can create a sudoers.d configuration file containing the attacker’s username, as in the PoC.", it can be read. This exploit code is also available on GitHub and takes the form of a Python script.

Which Linux distributions are affected?

Let’s start with some good news: this is not a universal exploit, unlike previous critical security flaws. In fact, exploitation of this vulnerability does not depend only on the Linux kernel version: a vulnerable version of the cifs-utils package must also be installed on the machine, and user namespaces must be available. Several conditions therefore need to be met before exploitation of this vulnerability can be considered.

To be more precise:

• The cifs-utils package version 6.14 or later is vulnerable. However, the researcher notes that "backports of other CVE fixes have also introduced issues in older versions of cifs-utils.", so older versions may also be affected.
• An unprivileged user must be allowed to create and mount user namespaces.
• In some cases, SELinux or AppArmor security policies block this attack.

The researcher explains that this security flaw has been present in the Linux kernel since 2007, meaning 19 years.

So, which distributions are vulnerable?

In the report published by the researcher, there are several fairly comprehensive tables on the subject. In their default configuration, the following distributions are vulnerable:

• Linux Mint 21.3 / 22.3,
• CentOS Stream 9,
• Rocky Linux 9 Workstation,
• Kali Linux 2021.4 to 2026.1,
• AlmaLinux 9.7,
• SLES 15 SP7, SLES SAP 16.

Other distributions are also vulnerable if the cifs-utils package has been installed, including:

• Ubuntu 18.04/20.04/22.04/24.04 Desktop/Server
• Pop!_OS 22.04/24.04
• Debian 11/12/13
• openSUSE Leap 15.6
• And others...

Meanwhile, other distributions such as Ubuntu 26.04, Fedora 40 to 44, or Rocky Linux 10 are not vulnerable. The reason: the default AppArmor and SELinux policies block exploitation. Be careful: if you have disabled SELinux (setenforce 0), then the CIFSwitch vulnerability becomes exploitable!

Protecting yourself from the CIFSwitch flaw

On May 19, 2026, a patch was added to the Linux kernel code (commit 3da1fdf). It adds validation of the origin of cifs.spnego requests, which fixes the vulnerability. From now on, you need to look at the kernel versions used by each distribution to see whether the patch has been included or not.

Otherwise, you can apply a mitigation directly on your machine. There are several possible options. But be careful: this may prevent you from accessing SMB/CIFS network shares (so do not do this if you need that functionality).

The first: uninstall the cifs-utils package.

# Debian, Ubuntu, et dérivés
apt remove cifs-utils
# AlmaLinux, Fedora, et dérivés
dnf remove cifs-utils

The second: block Kerberos/SPNEGO authentication on your machine.

This allows SMB connections on the machine while disabling this type of authentication (it’s up to you whether you use it or not). Below are the commands provided by the researcher to apply this method.

cat > /etc/request-key.d/cifs.spnego.conf <<'EOF'
create cifs.spnego * * /usr/sbin/keyctl negate %k 30 %S
EOF

The third: disable the CIFS module if it is not being used.

sudo sh -c "printf 'install cifs /bin/false\n' > /etc/modprobe.d/cifswitch.conf; rmmod cifs 2>/dev/null; true"

Good luck!

Florian Burnel Co-founder of IT-Connect

Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

See Full Bio