Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cifs (1 article)Clear

CIFSwitch Linux LPE: forged cifs.spnego key descriptions trick cifs.upcall into running as root - cifs-utils 6.14+ across multiple distros

SpaceX security engineer Asim Manizada has disclosed CIFSwitch, a Linux kernel local privilege escalation in the CIFS subsystem that lets an unprivileged user forge cifs.spnego key descriptions and trick the kernel's key-request mechanism into running cifs.upcall as root. CIFS (Common Internet File System) mounts and accesses files across a network; when a share uses Kerberos, the kernel asks the user-space cifs-utils helper to authenticate. The CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client, so a local attacker can supply a forged key and gain root. It affects cifs-utils 6.14 and higher, plus some older variants, across multiple distributions.

Check
Inventory Linux hosts with cifs-utils 6.14+ that mount Kerberos-authenticated CIFS shares. Identify multi-user systems where untrusted local users have shell access. Check distribution advisories for patched cifs-utils.
Affected
Linux distributions shipping cifs-utils 6.14 and higher (some older variants also affected) where the kernel CIFS subsystem fails to verify cifs.spnego key-request origin. Local shell access required.
Fix
Apply distribution kernel and cifs-utils updates as they ship. Where patches lag, restrict local user access on systems mounting Kerberos CIFS shares. Monitor request-key and cifs.upcall invocations.