{"id":258156,"date":"2026-05-28T17:11:00","date_gmt":"2026-05-28T21:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/28\/cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access\/"},"modified":"2026-05-28T17:15:22","modified_gmt":"2026-05-28T21:15:22","slug":"cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/28\/cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access\/","title":{"rendered":"CIFSwitch Vulnerability Exposes Some Linux Distros to Local Root Access"},"content":{"rendered":"<p><a href=\"https:\/\/linuxiac.com\/cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access\/\">CIFSwitch Vulnerability Exposes Some Linux Distros to Local Root Access<\/a><\/p>\n<p><a href=\"https:\/\/linuxiac.com\/cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access\/\">https:\/\/linuxiac.com\/cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-28 17:11:00<\/a><\/p>\n<p>Source Domain: <a href=\"linuxiac.com\">linuxiac.com<\/a><\/p>\n<p class=\"wp-block-paragraph\">A newly disclosed Linux local privilege escalation vulnerability, CIFSwitch, allows an unprivileged local user to gain root access on certain systems via the Linux kernel\u2019s CIFS client and the cifs-utils userspace helper. CIFS, also known as SMB, is a network file-sharing protocol commonly used to access Windows file shares from Linux and other platforms.<\/p>\n<p class=\"wp-block-paragraph\">Security researcher Asim Manizada disclosed the issue, describing it as a non-universal Linux local root vulnerability since exploitability depends on specific distribution configurations. A public proof-of-concept exploit is available, increasing the urgency for patching and mitigation on affected systems.<\/p>\n<p class=\"wp-block-paragraph\">CIFSwitch exists at the interface between the kernel CIFS client and cifs.upcall, the cifs-utils helper for Kerberos-authenticated CIFS\/SMB mounts. While CIFS is commonly associated with Windows file shares, Linux systems can also mount SMB shares using the kernel CIFS client.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerability arises from how CIFS uses Linux keyrings. Normally, the kernel requests a cifs.spnego key, and the system\u2019s request-key configuration launches cifs.upcall as root to handle Kerberos\/SPNEGO authentication.<\/p>\n<p class=\"wp-block-paragraph\">According to the disclosure, the vulnerability allows an unprivileged userspace process to request a forged cifs.spnego key description. The kernel failed to properly reject descriptions not originating from kernel CIFS, and the default request-key rule could still launch cifs.upcall as root.<\/p>\n<p class=\"wp-block-paragraph\">The userspace helper then parsed attacker-controlled fields, including pid, uid, creduid, and upcall_target, as if they were generated by the kernel. By setting upcall_target=app, the helper could switch into a namespace controlled by the attacker.<\/p>\n<p class=\"wp-block-paragraph\">The attack is particularly dangerous because account lookup through NSS can occur before the final privilege drop. In this state, a namespace-local NSS configuration and module can be loaded by the root helper, enabling attacker-controlled code to run with&#8230;<\/p>\n<p><a href=\"https:\/\/linuxiac.com\/cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CIFSwitch Vulnerability Exposes Some Linux Distros to Local Root Access https:\/\/linuxiac.com\/cifswitch-vulnerability-exposes-some-linux-distros-to-local-root-access\/ Publish Date: 2026-05-28 17:11:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":258157,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/linuxiac.com\/wp-content\/uploads\/2026\/05\/cifwitch.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[31,71,57,27],"class_list":["post-258156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-exploit","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/258156"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=258156"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/258156\/revisions"}],"predecessor-version":[{"id":258158,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/258156\/revisions\/258158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/258157"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=258156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=258156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=258156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}