CIFSwitch — Linux Kernel CIFS/SPNEGO Key Validation Logic Flaw Enables Unprivileged Local Root via cifs.upcall Namespace Hijack (Public PoC, CVE Pending) — Threadlinqs Intelligence
Threat ID: TL-2026-0618 · Severity: HIGH · CVSS: 7.8 · Status: ACTIVE · Category: VULNERABILITY
CIFSwitch is a Linux local privilege escalation disclosed on 2026-05-28 by researcher Asim Manizada, abusing a missing origin check on the kernel's cifs.spnego key type. Any unprivileged process can
## Overview
CIFSwitch (disclosed 2026-05-28) is a Linux local privilege escalation (LPE) chaining a kernel logic flaw in the CIFS subsystem with a privileged upcall behavior in the userspace cifs-utils helper. The vulnerability was discovered by independent researcher Asim Manizada using what he describes as an AI-assisted, multi-hop semantic-graph reasoning approach over kernel security-relevant objects. The kernel-side root cause traces back to 2007, when the cifs.spnego key type was introduced without a `.vet_description` callback to verify that key descriptions originate from inside the CIFS client. CIFSwitch turns this missing origin check into reliable unprivileged-to-root code execution on stock-default installs of many mainstream Linux distributions.
A CVE identifier is pending at time of disclosure. The kernel-side patch (commit 3da1fdf4efbc, "smb: client: reject userspace cifs.spnego descriptions") has been public for over a week and is queued for stable trees. Public PoC and full technical writeup are available at https://github.com/manizada/CIFSwitch and https://heyitsas.im/posts/cifswitch/.
## Exploit Chain
1. **Forged key request (unprivileged):** The attacker process invokes the `request_key(2)` syscall with key type `"cifs.spnego"` and a crafted description string that mimics the format kernel CIFS itself emits, e.g. `ver=0x2;host=<hostname>;ip4=<addr>;sec=krb5;uid=0x0;creduid=0x0;pid=0x<attacker_pid>;upcall_target=app`. Pre-patch, the kernel accepts this description because the cifs_spnego_key_type structure has no `.vet_description` hook, so it cannot tell that the request did not come from inside the CIFS client.
2. **Root upcall (kernel→userspace):** The kernel request_key infrastructure invokes /sbin/request-key, which consults /etc/request-key.d/cifs.spnego.conf (default rule: `create cifs.spnego * * /usr/sbin/cifs.upcall %k`) and spawns /usr/sbin/cifs.upcall as uid 0.
3. **Namespace hijack (uid 0):** cifs.upcall ≥ 6.14 honors the `upcall_target=app` field and uses the `pid=` field to call `switch_to_process_ns()` (setns into the attacker process's namespaces, including mount namespace). The privileged helper is now operating inside the attacker's filesystem view.
4. **NSS code execution as root:** Before dropping privileges, cifs.upcall calls `getpwuid()` to map the supplied uid to a name. NSS resolution reads the attacker-namespace `/etc/nsswitch.conf`, which points at a malicious module loaded via `libnss_<name>.so.2` from the attacker's mount namespace. The shared object's loader is now executing inside uid 0.
5. **Persistence:** Manizada's PoC NSS module writes an /etc/sudoers.d/ entry that grants the unprivileged attacker passwordless root via sudo, providing a stable post-exploit root channel even if the upcall is later sandboxed.
## Pre-Conditions
- Vulnerable kernel (pre-3da1fdf4efbc, effectively every released kernel since 2007 supporting CIFS).
- cifs-utils ≥ 6.14 installed with the default request-key rule for cifs.spnego (older cifs-utils predates the namespace-switching upcall path).
- Unprivileged user/mount namespace creation enabled (`kernel.unprivileged_userns_clone=1` on Debian/Ubuntu derivatives, default-on for upstream).
- No blocking LSM policy — absent or non-confining SELinux/AppArmor for cifs.upcall's setns and dlopen paths.
## Affected Distributions
**Stock-default exploitable (no extra package install required):** Linux Mint Cinnamon 21.3 and 22.3, CentOS Stream 9 GNOME, Rocky Linux 9 Workstation, Kali Linux 2021.4–2026.1 (headless and desktop), AlmaLinux 9.7 Workstation and Azure images, SUSE Linux Enterprise Server 15 SP7 / SLES for SAP 15 SP7 / SLES 16 SP-equivalent.
**Exploitable when cifs-utils is installed (very common in fileserver/admin workstations):** Ubuntu 18.04, 20.04, 22.04, 24.04; Debian 11, 12, 13; Pop!_OS 22.04 and 24.04; Rocky Linux 8; Oracle Linux 8 and 9; openSUSE Leap and Tumbleweed; Amazon Linux 2023.
**Blocked by default policy (LSM, sysctl, or m
Weaknesses (CWE)
CWE-345, CWE-269, CWE-863, CWE-358
Target sectors: government, defense, financial, technology, telecommunications, education, healthcare, managed-service-providers, cloud-hosting, research
Target regions: Global, North America, Europe, Asia-Pacific, Middle East, Latin America
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 16 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, HIGH, threat intelligence, cybersecurity, T1106, T1546, T1098, T1068, T1548, T1611, T1574.006, T1036.005, T1070.004, T1556