Critical Linux CIFSwitch Kernel Flaw Grants Root Vulnerability Allows

A new local privilege escalation (LPE) vulnerability, dubbed “CIFSwitch,” now allows low-privileged Linux users to gain root access. This critical flaw exploits a logic error between the Linux kernel’s CIFS client and the userspace cifs-utils package.

The bug was discovered by security researcher Asim Manizada, who has published a detailed technical write-up and PoC to help defenders assess their exposure and validate patches.

The issue stems from improper validation of key descriptions in the CIFs.Spnego key type, allowing unprivileged users to impersonate trusted kernel requests and trigger privileged operations.

Linux CIFSwitch Kernel Vulnerability

The vulnerability was found using an AI-assisted, multihop reasoning approach that builds and walks semantic graphs of security-relevant objects and flows, enabling the chaining of subtle logic flaws into a practical exploit.

The advisory was disclosed after an embargo coordinated with Linux distributions, and upstream kernel patches are already available.

CIFS/SMB is a widely used Windows-style network filesystem protocol on Linux. In this architecture, the kernel CIFS client handles core filesystem operations.

At the same time, Kerberos/SPNEGO authentication is delegated to a root-privileged userspace helper, cifs—upcall, provided by cifs-utils.

The interaction uses Linux keyrings: the kernel calls request_key() for CIFS. spnego key, passing a trusted description string that encodes parameters such as server, UID, credential UID, PID, and namespace target.

The /sbin/request-key policy then launches cifs—upcall as root to process that request.

Manizada’s research showed that the kernel did not verify whether the cifs.The SPnego key description actually originated from the CIFS subsystem before being treated as trusted.

This omission allows any unprivileged process to directly invoke request_key(“cifs.spnego”, <crafted_description>, …).

Because the key type is cifs, spnego, the default request-key rule still spawns cifs. Upcall as root, even though the description is fully attacker-controlled.

The exploit chain hinges on two elements in that forged description: pid and upcall_target.

By setting upcall_target=app and supplying a malicious pid, the attacker causes cifs. Upcall to switch into the namespaces of the attacker-controlled process before it performs NSS-based account lookups and finally drops privileges.

Inside this attacker-controlled mount namespace, a rogue nsswitch.conf and malicious libnss_*.so.2 can be planted so that a root-privileged NSS lookup loads and executes arbitrary code.

In Manizada’s PoC, the malicious NSS module writes an entry into /etc/sudoers.d, granting the attacker effective root access.

The underlying kernel bug traces back to 2007. However, successful exploitation requires several conditions:

A vulnerable kernel, a compatible cifs-utils version (notably 6.14+ or older builds with backported changes), and unprivileged user namespace creation.

Linux Security Module (LSM) policies such as SELinux or AppArmor that do not block the attack path.

Testing shows that many mainstream distributions are exploitable out of the box when cifs-utils is present. In contrast, others are only exploitable after installing cifs-utils or relaxing default LSM policies.

The upstream kernel fix adds a vet_description hook for the cifs. SPNEGO key type, ensuring descriptions are accepted only when the request is made under the CIFS client’s internal spnego_cred, effectively blocking unprivileged userspace from masquerading as the kernel.

Further hardening is recommended in cifs-utils so that cifs. Upcall does not unquestioningly trust key descriptions as originating from the kernel.

Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.

Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.