Back

CIFSwitch Vulnerability in Linux Allows Root Access via CIFS Exploit

Severity: High (Score: 70.5)

Sources: github.com, Bleepingcomputer, Cybersecuritynews, heyitsas.im

Published: 2026-05-30 · Updated: 2026-05-30

Keywords: linux, cifswitch, kernel, root, vulnerability, flaw, attackers

Severity indicators: vulnerability, flaw, ot

Summary

A local privilege escalation vulnerability named 'CIFSwitch' has been discovered in the Linux kernel, enabling low-privileged users to gain root access. This flaw affects multiple Linux distributions that use vulnerable versions of the kernel's CIFS and cifs-utils. The vulnerability arises from the kernel's failure to verify the origin of cifs.spnego key requests, allowing attackers to forge requests. Distributions such as Ubuntu, Debian, and openSUSE are confirmed to be vulnerable under default configurations. A patch has been released to address the issue by validating request origins. The researcher, Asim Manizada, has provided a detailed technical report and proof of concept to aid in assessing exposure. Exploitation depends on several factors, including kernel and cifs-utils versions and specific security policies. Some distributions, including Amazon Linux 2 and certain versions of Kali Linux, are not affected due to their cifs-utils versions lacking the necessary functionality. Key Points: • CIFSwitch vulnerability allows root access via forged CIFS authentication requests. • Multiple Linux distributions, including Ubuntu and Debian, are affected by this flaw. • A patch has been released to fix the vulnerability by validating request origins.

Detailed Analysis

**Impact** Multiple Linux distributions are affected, including various versions of Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux where cifs-utils is installed. The vulnerability allows local, unprivileged users to escalate privileges to root, potentially compromising entire systems. Business and operational impacts include unauthorized full system control, risking data integrity and confidentiality on affected networked Linux systems. Geographic or sector-specific data is not provided. **Technical Details** The vulnerability exploits a logic flaw in the Linux kernel CIFS client and the userspace cifs-utils package, allowing forged cifs.spnego key requests to trigger root-privileged authentication workflows. The flaw exists in the kernel’s failure to verify cifs.spnego request origins, enabling privilege escalation via the kernel key request mechanism. The issue was introduced in 2007 and fixed in upstream commit 3da1fdf, but patch availability varies by distribution. A proof-of-concept exploit has been published. No CVE identifiers or IOCs are provided. **Recommended Response** Apply kernel patches that validate cifs.spnego request origins as per upstream commit 3da1fdf, ensuring the kernel and cifs-utils versions are updated. Disable or blacklist the CIFS kernel module if unused, remove cifs-utils if unnecessary, and disable unprivileged user namespaces to reduce attack surface. Verify SELinux/AppArmor policies are configured to block exploitation where applicable. Use the published PoC to validate patch effectiveness. No specific detection signatures or IOCs are provided.

Source articles (4)

  • New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access — Cybersecuritynews · 2026-05-28
    A newly disclosed Linux local privilege escalation (LPE) vulnerability dubbed “CIFSwitch” enables low-privileged users to gain root access by abusing a logic flaw between the Linux kernel CIFS client…
  • New CIFSwitch Linux flaw gives root on multiple distributions — Bleepingcomputer · 2026-05-30
    A newly discovered local privilege escalation vulnerability dubbed 'CIFSwitch' in the Linux kernel could allow attackers to forge CIFS authentication key descriptions, abuse the kernel's key request m…
  • Cifswitch — heyitsas.im · 2026-05-30
    TLDR: A distro-specific Linux LPE found by harnessing LLMs into better multihop knowledge composition. Read on for affected distros, mitigations, and vulnerability details. In Getting LLMs Drunk to Fi…
  • Cifs Spnego.c — github.com · 2026-05-30

Timeline

  • 2026-05-28 — CIFSwitch vulnerability disclosed: Asim Manizada published details of the CIFSwitch vulnerability, enabling root access through forged requests.
  • 2026-05-30 — Patch released for CIFSwitch vulnerability: A kernel patch was issued to validate cifs.spnego request origins, mitigating the risk of exploitation.

Related entities

  • Zero-day Exploit (Attack Type)
  • CWE-269 - Improper Privilege Management (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • CIFS (Platform)
  • Cifs-utils (Platform)
  • Linux (Platform)
  • SMB (Platform)
  • Windows (Platform)
  • CIFSwitch (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed