In a nutshell: A 19-year-old validation flaw in the CIFS kernel subsystem allows local attackers to gain root privileges through forged authentication requests and NSS library manipulation.
A newly discovered security vulnerability in the Linux kernel named CIFSwitch enables local, unprivileged users to gain root privileges. The vulnerability affects the CIFS subsystem (Common Internet File System) and was identified by security engineer Asim Viladi Oglu Manizada from SpaceX.
CIFSwitch exploits a validation flaw in the CIFS protocol of the Linux kernel, which is central to mounting and managing network shares. The problem arises from a faulty interaction between the kernel’s native CIFS subsystem and cifs-utils in versions 6.14 and higher; older branches may also be vulnerable under certain conditions.
The attack vector exploits the authentication process for Kerberos-protected network shares. When a Linux system connects to such a share, the kernel delegates authentication to the cifs.upcall utility, which runs with root privileges. The fundamental error is that the kernel never verifies whether a request for a cifs.spnego key actually originates from the legitimate CIFS client. A local attacker can create a forged request and thus manipulate the authentication workflow.
The cifs.upcall program trusts the data fields controlled by the attacker because it incorrectly assumes the kernel has already validated them. Through targeted manipulation of these fields, an attacker can force the program to perform a namespace switch. Before the root privileges are removed, this manipulated process initiates a query through the Name Service Switch system (NSS). Since the program is then in a namespace controlled by the attacker, a prepared NSS library is loaded that executes arbitrary code with root privileges.
According to the discoverer, the bug was introduced into the kernel source code in 2007 and remained undetected for approximately 19 years. Exploitation is not universal but requires specific conditions: a vulnerable kernel version, corresponding cifs-utils, enabled unprivileged user namespaces, and no strict security policies (AppArmor, SELinux). Affected distributions include Linux Mint, CentOS Stream, Rocky Linux, AlmaLinux, and Kali Linux.
Source: www.it-daily.net · Published 11 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.6.5.