The "CIFSwitch" vulnerability is a local privilege escalation flaw in the Linux kernel's CIFS subsystem, where an unprivileged user can forge a cifs.spnego key request to trick the root-privileged cifs.upcall helper into loading a malicious NSS module, leading to root code execution. The article confirms several distributions, including Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, and SLES 15 SP7, are vulnerable in default configurations. A kernel patch has been released; as a workaround, users should disable CIFS modules or cifs-utils if unused and disable unprivileged user namespaces.
Vulnerability Management New CIFSwitch vulnerability allows Linux privilege escalation June 1, 2026 Share By SC Staff (Adobe Stock) Bleeping Computer reports that a newly discovered local privilege escalation vulnerability, dubbed "CIFSwitch," has been found in the Linux kernel. This flaw could potentially allow attackers to forge CIFS authentication key descriptions and abuse the kernel's key request mechanism to gain root privileges. The CIFSwitch vulnerability, which was discovered by SpaceX Security Engineer Asim Viladi Oglu Manizada, impacts multiple Linux distributions that use vulnerable versions of the Linux kernel's CIFS subsystem and the cifs-utils package. The issue arises because the Linux kernel's CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client. This allows an unprivileged user to create a forged request, tricking the root-privileged cifs.upcall helper into trusting attacker-controlled fields. By manipulating these fields, an attacker can trigger a namespace switch and load a malicious NSS module, ultimately achieving root code execution. The vulnerability was introduced approximately 19 years ago and its exploitability depends on factors like kernel and cifs-utils versions, user namespace availability, and security policies. Several Linux distributions, including Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, and SLES 15 SP7, are confirmed to be vulnerable with default configurations. A kernel patch has been released to address the issue, and users are advised to disable CIFS modules or cifs-utils if unused, and disable unprivileged user namespaces. Source: Bleeping Computer SC Staff Related Patch/Configuration Management Microsoft resolves Windows 11 update installation errors SC Staff June 1, 2026 The installation failures, often accompanied by messages like "Something didn't go as planned. Undoing changes," and log entries indicating "SpaceCheck" and "ServicingBootFiles failed," occurred when the ESP had 10 MB or less of available space. Vulnerability Management Critical vulnerability in WP Maps Pro allows rogue administrator account creation SC Staff June 1, 2026 The vulnerability stems from a temporary access feature intended for vendor support. Vulnerability Management PAN-OS authentication bypass bug added to list of exploited vulnerabilities Steve Zurier June 1, 2026 While NIST upgraded the bug to 9.1, experts say teams must focus more on how attackers can exploit this flaw to gain VPN access. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds