Skip to content
hacker_posts

CIFSwitch: 19-year-old Linux CIFS bug gives any local user root

Researcher Asim Manizada disclosed CIFSwitch on May 28 — a cifs.spnego upcall flaw that grants root on default Mint, Rocky, AlmaLinux, Kali, and SUSE 15 SP7.

Published 5 min read
vulnerabilitylinuxkernellpecifs

Security researcher Asim Manizada disclosed CIFSwitch on the oss-security mailing list on May 28, 2026 — a local privilege escalation in the Linux kernel's CIFS client that hands any unprivileged user a root shell on a wide set of distributions in their default configuration. The bug sits at the boundary between the kernel's keyring subsystem and the userspace cifs.upcall helper shipped in cifs-utils, and the underlying primitive has been present in the kernel since 2007. Manizada published the full write-up and a working proof-of-concept exploit on github.com/manizada/CIFSwitch. A CVE ID is still pending at the time of writing.

No in-the-wild exploitation has been reported. The PoC is public, the embargo is over, and distribution maintainers are pushing kernels — assume the window from "PoC online" to "in a commodity toolchain" is short.

The bug

When a CIFS share mounts with Kerberos authentication (sec=krb5*), the kernel asks the userspace keyring for a key of type cifs.spnego. The keyring subsystem invokes cifs.upcall — a root-privileged helper — which performs the SPNEGO/Kerberos handshake and returns a service ticket the kernel then uses to authenticate the mount.

The defect: the kernel does not validate that a cifs.spnego key description actually originated from the CIFS subsystem before treating it as trusted. An unprivileged user can populate the keyring with a forged cifs.spnego request of their choosing and provoke the root-running cifs.upcall to perform authenticated actions on their behalf, which in turn allows a controlled local root escalation. Manizada's PoC chains the upcall manipulation into a stable root shell in a single execution.

Affected and fixed

Per AlmaLinux's coordinated advisory, Rocky Linux mitigation guidance from CIQ, and Manizada's own write-up, the distributions confirmed exploitable out of the box — meaning a fresh install with default packages is vulnerable to an unprivileged local user — include:

  • Linux Mint 21.3 and 22.3
  • CentOS Stream 9
  • Rocky Linux 9
  • AlmaLinux 9
  • Kali Linux 2021.4 through 2026.1
  • SUSE Linux Enterprise Server 15 SP7

Ubuntu and Debian are not vulnerable in their default configurations — the kernel bug is present, but cifs-utils is not installed by default, and the upcall helper is the trigger. Either distribution becomes exploitable as soon as cifs-utils lands. The same goes for any system that ships a CIFS-mounting workload, including containers and CI workers built on those bases.

Patched kernels were prepared during the coordinated embargo. CloudLinux published its updated kernel on May 28. AlmaLinux is currently asking operators to test the patched kernels and report regressions. Verify kernel version and the cifs-utils package version against your distribution's advisory before declaring a host clean.

Action checklist

  1. Patch the kernel. For Mint, Rocky, AlmaLinux, Kali, and SUSE 15 SP7, treat this as a same-day update on any host that an untrusted user can log into — including jump hosts, multi-tenant build runners, CI workers, and any container host where workloads share a kernel.
  2. Audit for cifs-utils on Ubuntu and Debian. If the package is installed, you are in scope regardless of distribution defaults. dpkg -l cifs-utils or apt list --installed 2>/dev/null | grep cifs-utils. Patch the kernel; do not rely on uninstalling cifs-utils as a long-term fix.
  3. Block the cifs.spnego key type as an interim mitigation if you cannot patch immediately. CIQ's knowledge-base article above documents the workaround for Rocky Linux 8/9/10 and the LTS variants — it disables Kerberos-authenticated CIFS mounts, which may break workloads, but it kills the exploit path.
  4. Test the PoC against your own fleet. Manizada's exploit is small, standalone, and version-independent for the supported targets. Running it in a controlled VM mirror of your build is the fastest way to confirm whether your patched kernel actually neutralizes the bug — the embargo lifted four days ago and not every "updated" kernel will have shipped the validator.
  5. Watch parent-process anomalies for cifs.upcall. A cifs.upcall invocation that is not the child of a CIFS mount operation is the signature of the exploit. Sysmon-equivalent telemetry on Linux (auditd, Falco) can flag the pattern; tune it before the PoC starts appearing in commodity tooling.

Context

CIFSwitch is the fourth Linux local privilege escalation to land with a public PoC inside roughly four weeks. It follows the Copy Fail AF_ALG bug (CVE-2026-31431, added to CISA's KEV on May 1 after evidence of in-the-wild exploitation), the Dirty Frag kernel-fragmentation chain disclosed around May 8, and Fragnesia in mid-May. Each one ships with a small, stable exploit that crosses distributions without per-target tuning — the same characteristic that made Dirty COW and Dirty Pipe so durable in commodity toolchains years after their disclosure.

What sets CIFSwitch apart inside this cluster is the install-default scope: the operator does not have to opt into anything. A fresh Rocky 9 box with the standard package selection is exploitable on first boot. For shared infrastructure — university timesharing servers, multi-tenant Kubernetes worker nodes, contractor jump hosts, build farms — that default matters more than the CVSS number a CVE eventually carries.