CIFSwitch: Linux Kernel Bug Grants Root Access on CentOS and Rocky Linux

CIFSwitch enables local privilege escalation to root across multiple Linux distributions. While a public PoC is available and an upstream patch exists, SELinux…

The CIFSwitch vulnerability, disclosed on May 28, 2026, by researcher Asim Manizada, enables unprivileged local users to gain root privileges on a dozen server and desktop Linux distributions. A proof-of-concept is already available on GitHub. However, the flaw is harmless on Fedora, Ubuntu 26.04 LTS, and CentOS Stream 10: the security boundary is not the kernel itself, but the operating system's containment policies.

Key Takeaways

The Linux kernel accepts cifs.spnego key descriptions from any userspace process without verifying their origin from the CIFS subsystem.
The default request-key policy executes cifs.upcall as root with attacker-controlled parameters, which pivots to a local namespace and loads a malicious NSS module before dropping privileges.
Linux Mint, CentOS Stream 9, Rocky Linux 9, Kali, AlmaLinux 9.7, SLES 15 SP7, and SLES SAP are exploitable out-of-the-box; Fedora 40-44, Ubuntu 26.04, CentOS Stream 10, and openSUSE Tumbleweed are blocked by default.
The kernel-side bug dates back to 2007. The upstream patch adds a vet_description hook for cifs.spnego. The CVE is pending assignment.

Anatomy of the Attack: The Kernel-Userspace Boundary as an Attack Surface

CIFSwitch is not an isolated flaw in the kernel's CIFS client, but a failure in the trust transition between the kernel and userspace. When the kernel mounts a CIFS share using Kerberos authentication, it delegates ticket management to the cifs.upcall userspace process—provided by the cifs-utils package. The cifs.spnego key description mechanism serves as the coordination point.

According to Manizada’s disclosure reported by linuxiac.com, the kernel fails to verify that cifs.spnego requests actually originate from the CIFS subsystem. Any userspace process can forge them. The default request-key policy still executes cifs.upcall as root, even when the description is entirely attacker-controlled. This is the core of the issue: a boundary confusion that transforms a service request into an attack surface.

The exploit sets upcall_target=app and a malicious PID. The helper then enters an attacker-controlled namespace, where it finds a locally placed NSS configuration and a modified libnss_*.so.2 module. cifs.upcall loads and executes this code before dropping root privileges. The source describes the result: a malicious NSS module writes an entry to /etc/sudoers.d, granting the attacker persistent root access.

"The primitive is reliable and turns any local shell into a path to root" — Saeed Abbasi, Qualys (regarding CVE-2026-46333, a separate vulnerability from CIFSwitch)

Distribution Roulette: Why the Same Vulnerability Hits Some and Not Others

Manizada tested over fifteen distributions. The result is a fragmented exploitability map that depends less on the presence of the kernel bug—which has been present everywhere since 2007—than on each system's security configuration.

Systems vulnerable out-of-the-box include: Linux Mint 21.3 and 22.3, CentOS Stream 9, Rocky Linux 9, Kali Linux versions 2021.4 through 2026.1, AlmaLinux 9.7 and AlmaLinux Azure, SLES 15 SP7, SLES SAP 15 SP7, and SLES SAP 16 with SELinux in permissive mode. These systems combine a vulnerable kernel, compatible cifs-utils (version 6.14 or later with backports), and containment policies that do not break the execution chain.

Exploitable only with manually installed cifs-utils: Ubuntu 18.04, 20.04, and 22.04 LTS, Debian 11, 12, and 13, Pop!_OS 22.04 and 24.04, openSUSE Leap 15.6, Rocky Linux 8, Oracle Linux 8 and 9, and Amazon Linux 2023. On these distributions, the package is not present by default, but a privileged user or deployment process may have added it.

Blocked by default: Fedora 40, 41, 42, 43, and 44, Ubuntu 26.04 LTS, CentOS Stream 10, Rocky Linux 10, AlmaLinux 10.1, Oracle Linux 10, openSUSE Tumbleweed and Leap 16.0, and SLES 16. On these systems, SELinux or AppArmor interrupts the execution of cifs.upcall within the modified context, or user namespaces are configured to prevent the pivot. The kernel flaw exists, but the containment perimeter neutralizes it.

The Role of cifs-utils 6.14+ and Activation Conditions

The vulnerability requires five conditions to align. First, a kernel containing the 2007 bug, present on all affected versions at the time of publication. Second, cifs-utils 6.14 or later, or versions with backports of the upcall_target mechanism. Third, the default cifs.spnego request-key rule, which executes the helper as root. Fourth, the enablement of unprivileged user or mount namespaces. Fifth, the absence of SELinux or AppArmor blocks on the execution chain.

Cybersecuritynews.com reports that Manizada used AI-assisted discovery to identify the attack path, a detail highlighting how trust boundary surfaces in legacy kernel subsystems are now subject to automated analysis. The PoC is public, removing the technical barrier to exploitation and necessitating an immediate assessment for multi-tenant environments, shared hosting, containers with enabled namespaces, and systems with active CIFS/SMB Kerberos mounts.

Why It Matters

The dossier does not specify detailed corrective measures for individual distributions or a release timeline for stable patches. The CVE is pending assignment. No evidence of in-the-wild exploitation has emerged, but the PoC publication makes the exposure window measurable in days.

The source does not document the exact number of enterprise systems with active CIFS and installed cifs-utils, nor the nature of the data at risk in the event of a compromise. The precise kernel version where the bug was introduced is generically identified as "2007," without a specific commit or release note. A CVSS score is not available.

The variability in exploitability across distributions structurally alters the response: there is no single universal action, but rather an individual verification of the five activation conditions on every system. The upstream patch, which adds the vet_description hook, is published but not yet incorporated into the stable kernels of out-of-the-box vulnerable distributions.

Analysis: When Containment Outperforms Code Correctness

CIFSwitch flips the standard Linux security hierarchy. It is not the correctness of the kernel code—flawed for nearly twenty years—that determines the attack's outcome, but the severity of the containment policies imposed by the operating system. Fedora and recent Red Hat-derived distributions prove that aggressive SELinux can neutralize a persistent local kernel bug, while permissive or absent configurations allow it to transition to root without friction.

This has implications for containerized and cloud environments, where base images often inherit minimized policies for compatibility. Risk is concentrated where operational convenience has loosened containment, not where the kernel is theoretically more or less secure. The same vulnerability, on two systems with identical kernels, produces opposite results: a distribution roulette that makes local condition inventory mandatory before any risk assessment.

Frequently Asked Questions

Why did the bug remain in the kernel since 2007?: The cifs.spnego mechanism is a trust boundary path between the kernel and userspace that was not subjected to request origin validation. The source cites 2007 as the year of introduction but does not specify the commit or the circumstances behind the lack of review.
Is a system without CIFS mounts at risk?: The source does not list activation conditions other than cifs-utils and CIFS/SMB Kerberos mounts. A system is not exploitable out-of-the-box if the package is not installed, though the kernel vulnerability remains present.
Is the upstream patch sufficient?: The patch adds the vet_description hook for cifs.spnego, but the dossier does not document integration dates for the stable kernels of individual distributions. Adoption depends on each project's maintainers.

Information is based on the cited source and is current as of the time of publication.