Key points :

• The CIFSwitch vulnerability allows any local user without administrator privileges to gain full root access on Linux systems running cifs-utils 6.14 or later with CIFS enabled.
• The vulnerability remained hidden in the Linux ecosystem since 2007 and was discovered using AI-based semantic graph analysis instead of traditional manual code review methods.
• Security researchers confirmed successful exploitation on multiple Linux distributions, including Linux Mint, Kali Linux, Rocky Linux, AlmaLinux, CentOS Stream 9, and several SUSE Enterprise versions, with a public proof-of-concept (PoC) exploit now available.

CIFSwitch Vulnerability Details:

The newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, exposes a critical design flaw in the Linux kernel’s CIFS (Common Internet File System) client that has been latent since 2007.

The bug allows any low-privileged local user to elevate themselves to full root access by exploiting a missing validation check between the kernel CIFS subsystem and the userspace `cifs-utils` helper.

This vulnerability is especially concerning given that it is the fourth major Linux kernel privilege escalation requiring immediate action in just a matter of weeks, following recent flaws like “Copy Fail,” “Dirty Frag,” and “Fragnesia”. With a public Proof-of-Concept (PoC) already released, system administrators must act immediately to prevent unauthorized root access.

The root cause

The kernel lacks a `.vet_description` hook for the cifs_spnego_key_type. This omission means the kernel does not verify whether a request for a `cifs.spnego` key originated from the trusted CIFS subsystem or from a malicious user process.

An attacker can exploit this by calling `request_key()` or `add_key()` directly, forging the key description to include malicious parameters like `pid` and upcall_target.

How the Exploit Works

For exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.

• Fake Request Creation:
  An attacker with basic local access creates a fake cifs.spnego request and sends it to the Linux kernel.
• Root Privilege Abuse:
  The kernel automatically launches the cifs.upcall helper tool with root privileges, trusting the request as legitimate.
  • Namespace Hijacking:
    By abusing Linux namespace settings, the attacker tricks the root process into operating inside an attacker-controlled environment.
• Malicious Code Execution:
  The attacker places a fake nsswitch.conf file and a malicious shared library inside this environment. When the root process performs a system lookup, it unknowingly loads and executes the attacker’s malicious code as root.
• Full Root Access:
  The public proof-of-concept exploit ultimately adds a NOPASSWD: ALL entry to the sudoers configuration, allowing the attacker to gain unrestricted root access to the Linux system.

Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.

Recommendation on security patches

The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred.

This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.

Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.

Sources: cifs-utils – Cyber Web Spider Blog – News