Full Report
A newly discovered local privilege escalation vulnerability dubbed 'CIFSwitch' in the Linux kernel could allow attackers to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges. [...]
Analysis Summary
This summary provides a technical overview of the "CIFSwitch" vulnerability based on the provided report.
# Vulnerability: CIFSwitch Local Privilege Escalation
## CVE Details
* **CVE ID:** Not explicitly listed in the article (referred to as "CIFSwitch").
* **CVSS Score:** Not specified (Estimated High/Critical for Local Privilege Escalation).
* **CWE:** CWE-20 (Improper Input Validation) / CWE-287 (Improper Authentication).
## Affected Systems
* **Products:** Linux Kernel (CIFS subsystem) and `cifs-utils`.
* **Versions:**
* `cifs-utils`: Versions 6.14 and higher (some older variants are also affected).
* Kernel: Flaw introduced in 2007 (Commit 7ad7859).
* **Configurations:** Systems using Kerberos for CIFS authentication and distributions allowing unprivileged user namespaces.
* **Confirmed Vulnerable:** Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4–2026.1, and SLES 15 SP7.
* **Potentially Vulnerable:** Ubuntu, Debian, Pop!_OS, openSUSE, and Amazon Linux (if `cifs-utils` is installed).
## Vulnerability Description
The vulnerability exists in how the Linux kernel's CIFS subsystem handles `cifs.spnego-type` key requests. When a system mounts a CIFS share using Kerberos, the kernel calls `cifs.upcall` (part of `cifs-utils`) as root to handle authentication.
The flaw is a lack of origin validation: the kernel fails to verify that a `cifs.spnego` request actually came from the kernel’s own CIFS client. A local unprivileged attacker can forge a request that the `cifs.upcall` helper trusts. By manipulating fields in the forged request, the attacker can force a namespace switch and trigger a Name Service Switch (NSS) lookup. This allows the attacker to load a malicious NSS module, resulting in code execution with root privileges.
## Exploitation
* **Status:** PoC available.
* **Complexity:** Medium (Depends on specific distribution configurations and security modules).
* **Attack Vector:** Local.
## Impact
* **Confidentiality:** High (Full system access).
* **Integrity:** High (Full system modification).
* **Availability:** High (Potential for system-wide disruption).
## Remediation
### Patches
* **Linux Kernel:** Apply upstream commit `3da1fdf4efbc490041eb4f836bf596201203f8f2`. Users should update to the latest kernel version provided by their distribution vendor.
### Workarounds
* Disable or blacklist the CIFS kernel module if it is not required.
* Remove the `cifs-utils` package if network sharing is not used.
* Disable unprivileged user namespaces (`sysctl -w kernel.unprivileged_userns_clone=0` on supported systems).
* Ensure SELinux or AppArmor is enabled and enforced, as default profiles in some distributions (e.g., Fedora, Ubuntu 26.04) mitigate the attack.
## Detection
* **Indicators of Compromise:** Unexpected calls to `cifs.upcall` by unprivileged users; unauthorized loading of NSS modules.
* **Detection Methods:** Monitor audit logs for unusual namespace transitions or `keyutils` activity involving `cifs.spnego`.
## References
* Researcher Technical Report: hxxps[://]heyitsas[.]im/posts/cifswitch/
* Upstream Kernel Fix: hxxps[://]github[.]com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2
* Proof of Concept: hxxps[://]github[.]com/manizada/CIFSwitch