High

A newly disclosed Linux local privilege escalation (LPE) vulnerability, dubbed “CIFSwitch,” allows low-privileged users to gain root access by exploiting a logic flaw between the Linux kernel CIFS client and the userspace cifs-utils package. The vulnerability was discovered by security researcher, who also released a detailed technical write-up and proof-of-concept (PoC) exploit to help organizations test their exposure and validate available patches. The flaw originates from improper validation of key descriptions within the CIFS SPNEGO authentication mechanism, enabling attackers to impersonate trusted kernel requests and trigger privileged operations. The issue has reportedly existed in the Linux kernel since 2007, making it a long-standing security weakness affecting systems that rely on CIFS/SMB network file sharing.

The vulnerability specifically impacts the interaction between the Linux kernel CIFS client and the root-privileged userspace helper “cifs-upcall,” which is part of the cifs-utils package. In normal operations, the kernel requests authentication using Linux keyrings and passes trusted description strings containing parameters such as server information, UID, PID, and namespace targets. However, researchers discovered that the kernel failed to verify whether these descriptions genuinely originated from the CIFS subsystem. As a result, unprivileged users can directly invoke crafted request_key() calls with attacker-controlled descriptions. Because the system still recognizes the request as a valid cifs.spnego operation, the request-key mechanism launches cifs-upcall with root privileges, unintentionally allowing attackers to abuse the authentication workflow.

The exploit chain becomes particularly dangerous through manipulation of the “pid” and “upcall_target” parameters inside the forged request. By setting upcall_target=app and specifying a malicious PID, attackers can force cifs-upcall to switch into attacker-controlled namespaces before conducting privileged NSS (Name Service Switch) lookups. Within this controlled environment, attackers can deploy malicious nsswitch.conf files and rogue libnss shared libraries, causing root-privileged processes to load and execute arbitrary code. In the published PoC, the malicious NSS module modifies the /etc/sudoers.d configuration, effectively granting the attacker full root-level access to the system. Exploitation requires a vulnerable kernel, a compatible cifs-utils version, enabled unprivileged user namespaces, and Linux Security Module policies such as SELinux or AppArmor that do not block the attack path.

Security researchers noted that many mainstream Linux distributions are exploitable by default when cifs-utils is installed, while others become vulnerable only after specific configurations or relaxed security policies. In response, upstream Linux developers have released kernel patches that introduce a “vet_description” validation hook for the cifs.spnego key type, ensuring that only legitimate CIFS subsystem requests are accepted. Additional hardening measures are also being recommended for cifs-utils so that cifs-upcall no longer blindly trusts incoming key descriptions. Administrators are strongly advised to immediately apply backported kernel patches, disable CIFS functionality where unnecessary, remove unused cifs-utils packages, tighten request-key policies for cifs.spnego, and restrict unprivileged user namespace creation to reduce the risk of exploitation.