A local privilege escalation vulnerability in the Linux kernel’s CIFS subsystem — named CIFSwitch by its discoverer — allows any unprivileged local user to gain root privileges on affected distributions. The vulnerability has been present in the kernel for 19 years, since 2007, and affects multiple major Linux distributions in their default configurations. A proof-of-concept exploit has been published, and while a kernel patch is available upstream, distribution-level updates are still rolling out.
What Is the Vulnerability?
CIFSwitch is a local privilege escalation vulnerability in the Linux kernel’s CIFS (Common Internet File System) subsystem. When a CIFS network share uses Kerberos for authentication, the kernel requests a cifs.spnego-type key via the keyring subsystem, which invokes the root-privileged cifs.upcall helper to perform the Kerberos/SPNEGO authentication. The vulnerability exists because the kernel’s CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel’s CIFS client — allowing an unprivileged user to forge a cifs.spnego request and trigger the authentication workflow with attacker-controlled fields.
The attack chain works as follows: the attacker crafts a forged cifs.spnego key request, which the root-privileged cifs.upcall helper trusts because it assumes the fields were generated by the kernel. The attacker abuses these trusted fields to force a namespace switch and then triggers a Name Service Switch (NSS) lookup before privileges are dropped. By loading a malicious NSS module through this lookup, the attacker achieves arbitrary code execution as root.
The vulnerability was discovered and named by Asim Viladi Oglu Manizada, a security engineer at SpaceX, who published a full technical write-up alongside a proof-of-concept exploit. The upstream kernel fix is commit 3da1fdf, which adds validation of cifs.spnego request origins.
Exploitation requires several conditions: a vulnerable kernel version, a vulnerable cifs-utils version, user namespaces to be available, and SELinux/AppArmor policies that do not specifically block the attack path. It is not universally exploitable on every Linux system, but several distributions are confirmed vulnerable with their default settings.
Which Versions Are Affected?
The vulnerability has been present in the Linux kernel since 2007. The following distributions are confirmed vulnerable with default configurations:
- Linux Mint 21.3 and 22.3
- CentOS Stream 9
- Rocky Linux 9
- AlmaLinux 9
- Kali Linux 2021.4 through 2026.1
- SUSE Linux Enterprise Server 15 SP7
Various versions of Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux may also be vulnerable if the cifs-utils package is installed. The following distributions are not exploitable due to default SELinux/AppArmor policies: Ubuntu 26.04, Fedora 40–44, CentOS Stream 10, Rocky Linux 10, SLES 16, AlmaLinux 10, and openSUSE Leap 16. Amazon Linux 2 and Kali Linux 2019.4/2020.4 are not affected because their cifs-utils versions lack the namespace-switch functionality.
Is It Being Exploited in the Wild?
No active exploitation has been reported at the time of writing. However, a proof-of-concept exploit has been published by the discoverer, which significantly lowers the barrier to exploitation. The vulnerability follows a pattern of recently disclosed Linux local privilege escalation flaws — including Copy Fail, Dirty Frag, Fragnesia, DirtyDecrypt, and PinTheft — that have received rapid attention from both security researchers and threat actors. The 19-year age of the vulnerable code and the availability of a public PoC mean exploitation in the wild is likely to follow. Organisations should not wait for confirmed attacks before applying mitigations.
What Is the Fix?
A kernel patch adding validation of cifs.spnego request origins has been merged upstream (commit 3da1fdf). The exact kernel versions shipping this patch vary per distribution — check your distribution’s security advisory for the specific fixed kernel version. The patch is available at:
https://github.com/torvalds/linux/commit/3da1fdf
In the interim, the following mitigations provide effective protection:
- Disable the CIFS kernel module if CIFS/SMB file sharing is not used:
echo "blacklist cifs" > /etc/modprobe.d/blacklist-cifs.conf - Remove the cifs-utils package if it is not required:
apt remove cifs-utilsordnf remove cifs-utils - Disable unprivileged user namespaces:
sysctl -w kernel.unprivileged_userns_clone=0. Note: this may impact container workloads — test before deploying in production.
Recommendations
Apply mitigations immediately on multi-user Linux systems. Any server where unprivileged users have shell access — shared hosting environments, development servers, HPC clusters, university systems — should apply the interim mitigations today while waiting for the distribution kernel update. Single-user workstations and servers with strict access controls can apply mitigations or the kernel patch during the next maintenance cycle.
Audit your Linux fleet for CIFS exposure. Check whether the cifs-utils package is installed on servers where it serves no operational purpose. The CIFS module is often present by default even on systems that never mount SMB shares — removing it eliminates the entire attack surface for this vulnerability.
Monitor your distribution’s security advisory channel. Kernel updates are being prepared across all major distributions. Apply the vendor kernel patch as soon as it is available for your platform, even if interim mitigations are in place.
Review user namespace policies. This vulnerability is one of many Linux privilege escalation techniques that rely on unprivileged user namespaces. If your environment does not require them, disabling them system-wide provides defence-in-depth against this and future kernel exploits.
References
- Upstream Kernel Fix — Commit 3da1fdf
- BleepingComputer: CIFSwitch Linux Flaw
- Vulnerability Intelligence Report — May 31, 2026
This advisory was first covered in the broader Vulnerability Intelligence Report — May 31, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities as of today, refer to the full report.
