New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access
New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access
https://cybersecuritynews.com/linux-cifswitch-kernel-vulnerability/amp/
Publish Date: 2026-05-28 11:18:00
Source Domain: cybersecuritynews.com
A newly disclosed Linux local privilege escalation (LPE) vulnerability dubbed “CIFSwitch” enables low-privileged users to gain root access by abusing a logic flaw between the Linux kernel CIFS client and the userspace cifs-utils package.
The bug was discovered by security researcher Asim Manizada, who has published a detailed technical write-up and PoC to help defenders assess their exposure and validate patches.
The issue stems from improper validation of key descriptions in the CIFs.Spnego key type, allowing unprivileged users to impersonate trusted kernel requests and trigger privileged operations.
Linux CIFSwitch Kernel Vulnerability
The vulnerability was found using an AI-assisted, multihop reasoning approach that builds and walks semantic graphs of security-relevant objects and flows, enabling the chaining of subtle logic flaws into a practical exploit.
The advisory was disclosed after an embargo coordinated with Linux distributions, and upstream kernel patches are already available.
CIFS/SMB is a widely used Windows-style network filesystem protocol on Linux. In this architecture, the kernel CIFS client handles core filesystem operations.
At the same time, Kerberos/SPNEGO authentication is delegated to a root-privileged userspace helper, cifs—upcall, provided by cifs-utils.
The interaction uses Linux keyrings: the kernel calls request_key() for CIFS. spnego key, passing a trusted description string that encodes parameters such as server, UID, credential UID, PID, and namespace target.
The /sbin/request-key policy then launches cifs—upcall as root to process that request.
Manizada’s research showed that the kernel did not verify whether the cifs.The SPnego key description actually originated from the CIFS subsystem before being treated as trusted.
This omission allows any unprivileged process to directly invoke request_key(“cifs.spnego”, , …).
Because the key type is cifs, spnego, the default request-key rule still…
