A new CIFSwitch Linux bug gives root on many distributions

A newly discovered privilege vulnerability called ‘CIFSwitch’ in the Linux kernel could allow attackers to create CIFS key authentication definitions, abuse the kernel’s key request mechanism, and gain root privileges.

The issue affects many Linux distributions that ship a vulnerable combination of kernel CIFS and cifs-utils (versions 6.14 and higher, although some older versions are also affected).

CIFS (Common Internet File System) is a network protocol that allows access to files, folders, and devices across a local network. Linux uses it to mount, read, and write data from remote systems.

When a CIFS network share uses Kerberos for authentication, the Linux kernel invokes a user-space helper program to perform the authentication, with the cifs-utils collection of user-space tools acting as an intermediary.

“The kernel requests a key of type cifs.spnego, and the typical keyutils/key application configuration uses cifs.upcall as the root to download or create the Kerberos/SPNEGO property,” explained Asim Viladi Oglu Manizada, the SpaceX security engineer who discovered and named the CIFSwitch privilege for the Linux proliferation vulnerability.

The researcher says that the problem consists of the Linux kernel’s CIFS subsystem failing to verify that the main requests for cifs.spnego are from the kernel’s CIFS client.

As a result, an unprivileged user can create a fake cifs.spnego request and trigger the normal authentication workflow.

The cifs.spnego key request is used by the Linux key subsystem to obtain the authentication data required by a CIFS/SMB client when connecting to a network share using Kerberos/SPNEGO authentication.

The flaw allows the root-privileged cifs.upcall handler to trust fields controlled by attackers that it thinks are created by the kernel.

By misusing these fields to force a namespace switch and trigger Name Service Switch (NSS) monitoring before privileges are revoked, a local attacker can load a malicious NSS module and accomplish root code execution.

Manizada has published an extensive technical report that explains the cause of the issue and how it can be used to gain root privileges.

Impact, adaptation, and exploitation

Manizada says CIFSwitch was launched 19 years ago, in 2007. He adds that it is “not universal” and its use depends on several factors, such as the vulnerable kernel version.

Other requirements include a vulnerable version of cifs-utils, availability of username spaces, and SELinux/AppArmor policies that do not prevent attacks.

Other distributions that Manizada confirms as vulnerable by default are:

• Linux Mint 21.3 / 22.3
• CentOS Stream 9
• Rocky Linux 9
• AlmaLinux 9
• Kali Linux 2021.4–2026.1
• SLES 15 SP7

The researcher noted that various versions of Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux may be vulnerable if ‘cifs-utils’ is installed.

However, there are also versions such as Ubuntu 26.04, Fedora 40-44, CentOS Stream 10, Rocky Linux 10, SLES 16, AlmaLinux 10, and openSUSE Leap 16, where the SELinux/AppArmor default settings prevent CIFSwitch exploitation.

Also, Amazon Linux 2 and Kali Linux 2019.4 and 2020.4 are not affected at all, as their cifs-utils versions lack the namespace-switch functionality.

CIFSwitch is fixed by a kernel patch that adds verification of the origin of the cifs.spnego request (upstream commit 3da1fdf), but the exact kernel versions that ship the patch vary from distribution to distribution.

The researcher recommends that users disable or block the CIFS module if it is not used, remove the cifs-utils package if it is not needed, and disable namespaces for unprivileged users.

Manizada has published a proof-of-concept (PoC) of a CIFSwitch exploit, which can help organizations verify the effectiveness of applied patches and mitigations.

CIFSwitch is the latest in a series of elevation-of-privilege vulnerabilities affecting Linux systems that have recently been disclosed, including ‘Copy Failure,’ ‘Dirty Frag,’ ‘Fragnesia,’ ‘DirtyDecrypt,’ and ‘PinTheft.’