CIFSwitch: Old Linux kernel vulnerability can grant local users root …

📖 Reading time: approx. 5 minutes · 868 words · 5,900 charactersListen

−1.0×+

⏹ Stop

Vulnerabilities in the Linux kernel are rarely pleasant, but some cases have a particularly unpleasant twist: they remain in established code paths for years until modern system functions suddenly enable a new attack chain. That is exactly what CIFSwitch is about. The vulnerability was publicly documented at the end of May 2026 and affects the interaction of the Linux CIFS/SMB client with cifs-utils and privileged userspace helpers. WinFuture covered the case on June 2, 2026. It is important to classify this correctly from the outset: CIFSwitch is not a remote vulnerability that allows arbitrary Linux systems to be taken over directly from the Internet. It is a local privilege escalation. An attacker therefore already needs access to a system with low privileges. Under suitable conditions, however, this can lead to root access. For multi-user systems, developer workstations, CI runners, container build hosts, or servers with shell access, that is more than a mere academic footnote.

Technically, the issue affects CIFS, or SMB, the mechanism by which Linux mounts network shares from Windows or Samba systems, for example. For certain authentication paths, especially Kerberos/SPNEGO, the kernel works together with a userspace helper from cifs-utils. According to the technical analysis by Asim Manizada, this handoff was not sufficiently protected. The kernel therefore accepted cifs.spnego descriptions without checking strictly enough whether they actually originated from the kernel CIFS path. As a result, a local, unprivileged process could generate manipulated requests that were later treated as trusted kernel requests. In combination with namespaces and cifs-utils, this led under certain configurations to a local privilege escalation to root. This is not a flaw that automatically affects every Linux system in the same way. Several prerequisites are…

Source