A critical, long-standing vulnerability has resurfaced in the Linux kernel. Dubbed CIFSwitch, this vulnerability affects several major distributions. It grants root access via the CIFS mount, a crucial protocol for network file sharing.
This discovery serves as a reminder that even in a mature system, vulnerabilities can remain dormant for a long time. The stakes are all the higher because it affects the core of network operations under Linux.
It is important to be vigilant, to understand the mechanisms and to follow the corrective measures to avoid any major problems.
Understanding the CIFSwitch vulnerability and its impact on Linux systems
CIFSwitch exploits a 19-year-old vulnerability in the handling of the Common Internet File System (CIFS) protocol. This protocol is central to accessing files shared on a local network. Under Linux, the kernel includes a CIFS client responsible for mounting and communicating with SMB servers.
The main problem stems from the user interface provided by the cifs-utils package. For mounts requiring Kerberos authentication, this interface handles security, but the Linux kernel doesn’t properly verify the origin of requests. As a result, an unprivileged user can manipulate authentication keys to gain root privileges.
In practice, the attack uses the request_key function, which requests a cifs.spnego key, essential for authentication. An attacker simply needs to inject a falsified description to bypass the controls.
Linux distributions most at risk in 2026
Many popular distributions had to react quickly. Ubuntu, Fedora, CentOS, Rocky Linux, AlmaLinux, openSUSE, and SLES released patches within the first few days. However, manual installation or the presence of the cifs-utils package can make the situation risky.
Here are some distributions that are affected under certain conditions:
- Kali Linux (versions 2021.4 to 2026.1)
- Linux Mint 21.3/22.3 Cinnamon
- SLES 15 SP7 and SAP 15 SP7 when activating AppArmor
- AlmaLinux 9.7 Workstation and Azure cloud image
- CentOS Stream 9 Gnome
- Rocky Linux 9 Workstation with SELinux in “enforcing” mode
- SLES SAP 16 with SELinux in permissive mode
Note that some distributions such as Amazon Linux 2 KVM or Kali Linux 2019.4/2020.4 are not affected.
Why is this vulnerability so dangerous despite being 19 years old?
Old vulnerabilities lying dormant in code are like those old tools forgotten in a barn: they seem harmless until the day they are brought out again. CIFSwitch had been lurking in the Linux kernel since 2007 without being detected.
Asim Viladi Oglu Manizada, a senior security engineer at SpaceX, demonstrated that the problem stems from a glaring lack of kernel verification regarding the origin of requests and the cifs.spnego keys. This deficiency allows a malicious module with administrative privileges to be loaded.
More specifically, the attacker exploits fake key descriptions by combining a malicious PID with a private namespace, putting them in the right “room” to execute root code.
The attack mechanisms in detail
The attack relies on several tools and configurations:
- A fake NSS configuration file
- A malicious NSS module injected into the namespace
- A trigger that forces cifs.upcall to load this fake library
This mechanism results in entries being written to sudoers.d, giving virtually uncontrolled access to a root account.
A Proof of Concept available on GitHub is used to validate these conditions and test the available patches. This allows Linux teams and system administrators to proactively upgrade their systems.
Best practices for dealing with the CIFSwitch vulnerability: vigilance and patches
Underestimating this vulnerability is vital. It’s not enough to assume your distribution is safe simply because you don’t usually use CIFS mounting. The cifs-utils package, often installed by default or for specific needs, can leave the door open.
To protect yourself, here are some practical tips:
- Keep your system up to date with the latest kernel patches and CISF utilities
- Audit the presence of the cifs-utils package and verify its usage
- Enable security tools like AppArmor or SELinux with appropriate configurations
- Monitor network activity and system logs to detect any abnormal activity
- Limit access for non-privileged users and isolate sensitive environments
By remembering the adage: “prevention is better than cure”, these simple actions already avoid a lot of trouble.
Resources and information to explore the topic further
For those who want to delve deeper, several reliable sources detail the vulnerability and its implications:
- CIFSwitch technical analysis on itsense.fr
- CISA warns of a critical vulnerability in Linux
- Mitigation actions and CloudLinux update
These resources contribute to a better understanding of the challenges and defenses in Linux security, while disseminating valuable knowledge.
What is CIFSwitch?
A serious vulnerability has been present in the Linux kernel since 2007, linked to the CIFS protocol and the cifs-utils package, which allows escalation of privileges to the root level.
Which systems are affected?
Large distributions such as Ubuntu, Fedora, CentOS, Rocky Linux, Kali Linux, Linux Mint and SLES are affected, especially if the cifs-utils package is installed and used.
How to protect yourself?
Apply official updates, limit the use of cifs-utils, monitor access and activate SELinux or AppArmor with vigilance.
Can a remote user be affected?
No, this vulnerability allows for local privilege escalation, so the attacker must already have unprivileged access to the system.
Is a public exploit available?
Yes, a Proof of Concept is published on GitHub, useful for testing patches and demonstrating the vulnerability.
Source: www.lemondeinformatique.fr