{"id":260840,"date":"2026-06-01T06:02:00","date_gmt":"2026-06-01T10:02:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/01\/a-spacex-security-engineer-used-ai-to-find-a-19-year-old-linux-bug-that-gives-attackers-root\/"},"modified":"2026-06-01T06:20:18","modified_gmt":"2026-06-01T10:20:18","slug":"a-spacex-security-engineer-used-ai-to-find-a-19-year-old-linux-bug-that-gives-attackers-root","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/01\/a-spacex-security-engineer-used-ai-to-find-a-19-year-old-linux-bug-that-gives-attackers-root\/","title":{"rendered":"A SpaceX Security Engineer Used AI to Find a 19-Year-Old Linux Bug That Gives Attackers Root"},"content":{"rendered":"

A SpaceX Security Engineer Used AI to Find a 19-Year-Old Linux Bug That Gives Attackers Root<\/a><\/p>\n

https:\/\/securityaffairs.com\/192959\/security\/a-spacex-security-engineer-used-ai-to-find-a-19-year-old-linux-bug-that-gives-attackers-root.html<\/a><\/p>\n

Publish Date: 2026-06-01 06:02:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

CIFSwitch, a Linux Root Bug Hidden in Plain Sight for 19 Years<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ June 01, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

CIFSwitch is a 19-year-old Linux logic bug turning forged CIFS auth keys into root. Affects Mint, CentOS, Rocky, Kali, SLES.<\/h2>\n

CIFSwitch stands apart from typical privilege escalation vulnerabilities because of how it was discovered. Asim Manizada, a security engineer at SpaceX, didn\u2019t find it by auditing source code the old-fashioned way. He built an AI-powered framework that constructs semantic graphs of kernel objects and their relationships, then had the models walk those graphs looking for mismatches between what a component creates and what a privileged consumer assumes. The result is a multi-step logic chain that reaches root on major distros, including Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, and SLES 15.<\/p>\n

The vulnerability has been in the Linux kernel since 2007. It lives at the intersection of the kernel\u2019s CIFS client and the cifs-utils helper that handles Kerberos authentication for network file shares. When a CIFS mount needs Kerberos credentials, the kernel requests a key of type cifs.spnego and a root-privileged helper called cifs.upcall runs to fetch the authentication material. The problem is that nothing stops an unprivileged user from making the exact same key request with fabricated fields. <\/p>\n

\u201cCIFS\/SMB is a Windows-style network filesystem protocol. On Linux, the CIFS kernel client handles the actual filesystem parts: mounting the share, talking SMB to the server, doing reads\/writes, etc. But, understandably, for Kerberos-auth\u2019d mounts, kernel CIFS doesn\u2019t roll its own auth stack and instead relies on a userspace helper provided by\u00a0cifs-utils.\u201d continues the report. <\/p>\n

\u201cThe interaction happens through Linux keyrings. The kernel requests a\u00a0cifs.spnego-type key, and the normal keyutils\/request-key config runs\u00a0cifs.upcall\u00a0as root to…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A SpaceX Security Engineer Used AI to Find a 19-Year-Old Linux Bug That Gives Attackers…<\/p>\n","protected":false},"author":1,"featured_media":260841,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2015\/11\/Linux-ransomware-encoder1.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[143,144,71,110,112,57,27],"class_list":["post-260840","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-almalinux","tag-centos","tag-linux","tag-linux-mint","tag-rocky-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260840"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=260840"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260840\/revisions"}],"predecessor-version":[{"id":260842,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260840\/revisions\/260842"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/260841"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=260840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=260840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=260840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}