A SpaceX Security Engineer Used AI to Find a 19-Year-Old Linux Bug That Gives Attackers Root
A SpaceX Security Engineer Used AI to Find a 19-Year-Old Linux Bug That Gives Attackers Root
Publish Date: 2026-06-01 06:02:00
Source Domain: securityaffairs.com
CIFSwitch, a Linux Root Bug Hidden in Plain Sight for 19 Years
Pierluigi Paganini
June 01, 2026
CIFSwitch is a 19-year-old Linux logic bug turning forged CIFS auth keys into root. Affects Mint, CentOS, Rocky, Kali, SLES.
CIFSwitch stands apart from typical privilege escalation vulnerabilities because of how it was discovered. Asim Manizada, a security engineer at SpaceX, didn’t find it by auditing source code the old-fashioned way. He built an AI-powered framework that constructs semantic graphs of kernel objects and their relationships, then had the models walk those graphs looking for mismatches between what a component creates and what a privileged consumer assumes. The result is a multi-step logic chain that reaches root on major distros, including Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, and SLES 15.
The vulnerability has been in the Linux kernel since 2007. It lives at the intersection of the kernel’s CIFS client and the cifs-utils helper that handles Kerberos authentication for network file shares. When a CIFS mount needs Kerberos credentials, the kernel requests a key of type cifs.spnego and a root-privileged helper called cifs.upcall runs to fetch the authentication material. The problem is that nothing stops an unprivileged user from making the exact same key request with fabricated fields.
“CIFS/SMB is a Windows-style network filesystem protocol. On Linux, the CIFS kernel client handles the actual filesystem parts: mounting the share, talking SMB to the server, doing reads/writes, etc. But, understandably, for Kerberos-auth’d mounts, kernel CIFS doesn’t roll its own auth stack and instead relies on a userspace helper provided by cifs-utils.” continues the report.
“The interaction happens through Linux keyrings. The kernel requests a cifs.spnego-type key, and the normal keyutils/request-key config runs cifs.upcall as root to…
