Skip to content

OSG-SEC-2026-05-28 HIGH CIFSwitch Local Privilege Escalation in Linux CIFS/cifs-utils

HIGH CIFSwitch Local Privilege Escalation in Linux CIFS/cifs-utils

Dear OSG Security Contacts,

A local privilege escalation vulnerability affecting the Linux CIFS subsystem and cifs-utils has been publicly disclosed. The issue allows an unprivileged local user to obtain root code execution under certain configurations involving CIFS/SMB support. At the time of writing, a CVE assignment is still pending.

WHAT ARE THE VULNERABILITIES:

CIFS/SMB is a Windows-style network filesystem protocol. On Linux, the CIFS kernel client handles the actual filesystem parts: mounting the share, talking SMB to the server, doing reads/writes, etc. An unprivileged user may invoke:
request_key("cifs.spnego", ...)
with a forged CIFS SPNEGO description.
The request-key subsystem launches cifs.upcall as root. Affected versions of cifs.upcall trust attacker-controlled fields including:
- pid
- uid
- creduid
- upcall_target

When upcall_target=app is specified, the helper may switch into attacker-controlled namespaces and perform NSS lookups before privilege dropping, allowing execution of attacker-controlled libnss_*.so.2 libraries as root.

IMPACTED VERSIONS:

The issue appears to affect a broad range of modern Linux distributions and kernels. See reference [2] for more details. Systems may be vulnerable when all of the following conditions are met:

  • cifs-utils is installed
  • the cifs.spnego request-key rule is enabled
  • the CIFS kernel module is available (default on most distributions)
  • unprivileged user namespaces are enabled

Detection / Verification

cifs-utils does not typically appear in many minimal Linux installations and is generally associated with SMB/CIFS interoperability use cases. However, desktop-oriented, workstation, NAS-integrated, or cloud-focused images may include it by default or as a dependency.

Check whether cifs-utils is installed:
RHEL/Rocky/Alma/SUSE:
rpm -q cifs-utils

Ubuntu/Debian:
dpkg -s cifs-utils

Check for the vulnerable request-key rule:
grep -R cifs.spnego /etc/request-key /usr/lib/request-key

Check user namespace configuration:
sysctl kernel.unprivileged_userns_clone

Impact

Successful exploitation may allow:
unprivileged local user to execute arbitrary code as root
The issue is local-only and does not provide remote code execution by itself.

WHAT YOU SHOULD DO:

Mitigations
Vulnerability can be mitigated via any of the following:

  1. Remove unused CIFS support If SMB/CIFS functionality is not required:
    uninstall cifs-utils
    or disable/blacklist the CIFS kernel module

  2. Override the cifs.spnego request-key rule
    If Kerberos CIFS functionality is not required: cat >/etc/request-key.d/cifs.spnego.conf <<'EOF'
    create cifs.spnego * * /usr/sbin/keyctl negate %k 30 %S

  3. Disable unprivileged user namespaces
    Where operationally feasible: sysctl -w kernel.unprivileged_userns_clone=0 Note this may impact containers or sandboxing technologies.

  4. Apply vendor kernel updates
    The upstream kernel fix is:
    3da1fdf4efbc ("smb: client: reject userspace cifs.spnego descriptions")

Sites should monitor vendor advisories and apply updated kernel packages as they become available.

REFERENCES

[1] https://www.openwall.com/lists/oss-security/2026/05/28/2
[2] https://heyitsas.im/posts/cifswitch
[3] https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team