Rocky Linux — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/rocky-linux/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 30 May 2026 14:23:52 +0000CIFSwitch Linux Kernel Local Privilege Escalation Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-cifswitch-lpe/Sat, 30 May 2026 14:23:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cifswitch-lpe/The CIFSwitch vulnerability in the Linux kernel allows an unprivileged user to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges by loading a malicious NSS module.A newly discovered local privilege escalation vulnerability named ‘CIFSwitch’ affects the Linux kernel. This vulnerability, introduced in 2007, allows an unprivileged user to forge CIFS authentication key descriptions and abuse the kernel’s key request mechanism to gain root privileges. The issue stems from the kernel’s CIFS subsystem failing to properly validate the origin of cifs.spnego key requests. Successful exploitation depends on factors like a vulnerable kernel version, a vulnerable cifs-utils version (6.14 and higher, with some older variants also affected), the availability of user namespaces, and permissive SELinux/AppArmor policies. Several distributions, including Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4-2026.1, and SLES 15 SP7, are confirmed to be vulnerable with their default configurations. Exploitation can lead to complete system compromise.

Attack Chain

  1. An unprivileged user crafts a forged cifs.spnego key request.
  2. The forged request is sent to the Linux keyring subsystem.
  3. The kernel, lacking proper validation, triggers the normal authentication workflow.
  4. The root-privileged cifs.upcall helper is invoked.
  5. The cifs.upcall helper trusts attacker-controlled fields, assuming they originated from the kernel.
  6. The attacker abuses these fields to force a namespace switch.
  7. The attacker triggers a Name Service Switch (NSS) lookup.
  8. Before privileges are dropped, a malicious NSS module is loaded, resulting in root code execution.

Impact

Successful exploitation of CIFSwitch results in a local attacker gaining root privileges on the affected Linux system. This allows the attacker to execute arbitrary code with the highest level of privilege, potentially leading to data theft, system corruption, or complete system takeover. The vulnerability impacts several popular Linux distributions and could affect numerous systems if not patched or mitigated. While the researcher has confirmed vulnerability in some distributions, successful exploitation depends on specific configuration factors.

Recommendation

  • Apply the kernel patch that adds validation of cifs.spnego request origins (upstream commit 3da1fdf) to remediate the vulnerability.
  • If the CIFS module is not used, disable or blacklist it to prevent potential exploitation.
  • Remove the cifs-utils package if it is not necessary for system functionality.
  • Disable unprivileged user namespaces to limit the attack surface.
  • Monitor for unexpected cifs.upcall executions, especially those initiated by unprivileged users, using a process creation rule.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
]]>highadvisoryprivilege-escalationlinuxcifskernel