{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/opensuse/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux Mint","CentOS Stream","Rocky Linux","AlmaLinux","Kali Linux","SLES","Ubuntu","Debian","Pop!_OS","openSUSE","Oracle Linux","Amazon Linux","cifs-utils"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","cifs","kernel"],"_cs_type":"advisory","_cs_vendors":["Canonical","Red Hat","Oracle","Amazon","SUSE"],"content_html":"\u003cp\u003eA newly discovered local privilege escalation vulnerability named \u0026lsquo;CIFSwitch\u0026rsquo; affects the Linux kernel. This vulnerability, introduced in 2007, allows an unprivileged user to forge CIFS authentication key descriptions and abuse the kernel\u0026rsquo;s key request mechanism to gain root privileges. The issue stems from the kernel\u0026rsquo;s CIFS subsystem failing to properly validate the origin of \u003ccode\u003ecifs.spnego\u003c/code\u003e key requests. Successful exploitation depends on factors like a vulnerable kernel version, a vulnerable \u003ccode\u003ecifs-utils\u003c/code\u003e version (6.14 and higher, with some older variants also affected), the availability of user namespaces, and permissive SELinux/AppArmor policies. Several distributions, including Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4-2026.1, and SLES 15 SP7, are confirmed to be vulnerable with their default configurations. Exploitation can lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user crafts a forged \u003ccode\u003ecifs.spnego\u003c/code\u003e key request.\u003c/li\u003e\n\u003cli\u003eThe forged request is sent to the Linux keyring subsystem.\u003c/li\u003e\n\u003cli\u003eThe kernel, lacking proper validation, triggers the normal authentication workflow.\u003c/li\u003e\n\u003cli\u003eThe root-privileged \u003ccode\u003ecifs.upcall\u003c/code\u003e helper is invoked.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecifs.upcall\u003c/code\u003e helper trusts attacker-controlled fields, assuming they originated from the kernel.\u003c/li\u003e\n\u003cli\u003eThe attacker abuses these fields to force a namespace switch.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a Name Service Switch (NSS) lookup.\u003c/li\u003e\n\u003cli\u003eBefore privileges are dropped, a malicious NSS module is loaded, resulting in root code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CIFSwitch results in a local attacker gaining root privileges on the affected Linux system. This allows the attacker to execute arbitrary code with the highest level of privilege, potentially leading to data theft, system corruption, or complete system takeover. The vulnerability impacts several popular Linux distributions and could affect numerous systems if not patched or mitigated. While the researcher has confirmed vulnerability in some distributions, successful exploitation depends on specific configuration factors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the kernel patch that adds validation of \u003ccode\u003ecifs.spnego\u003c/code\u003e request origins (upstream commit 3da1fdf) to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf the CIFS module is not used, disable or blacklist it to prevent potential exploitation.\u003c/li\u003e\n\u003cli\u003eRemove the \u003ccode\u003ecifs-utils\u003c/code\u003e package if it is not necessary for system functionality.\u003c/li\u003e\n\u003cli\u003eDisable unprivileged user namespaces to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected \u003ccode\u003ecifs.upcall\u003c/code\u003e executions, especially those initiated by unprivileged users, using a process creation rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T14:23:52Z","date_published":"2026-05-30T14:23:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cifswitch-lpe/","summary":"The CIFSwitch vulnerability in the Linux kernel allows an unprivileged user to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges by loading a malicious NSS module.","title":"CIFSwitch Linux Kernel Local Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cifswitch-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenSUSE","version":"https://jsonfeed.org/version/1.1"}