Details about the CIFSwitch vulnerability exploit have been disclosed and published for the kernel module CIFS and the toolkit cifs-utils. This vulnerability, for which a CVE has not been assigned yet, allows an unprivileged user to gain root rights on the system. The fix is currently available only as a patch, which was published on May 16 and accepted into the main branch of the Linux kernel on May 19. Corrective releases of the kernel are not available at this time.
The vulnerability affects the code that supports the cifs.spnego mechanism for authentication using the SPNEGO protocol when connecting to SMB servers. When resolving keys from Kerberos/SPNEGO, the kernel calls the cifs.upcall handler provided by the cifs-utils package and executed in user space as root.
An unprivileged user can call the handler by sending a request for the key “cifs.spnego” with a fake description of “CIFS SPNEGO”. The cifs.upcall handler does not perform additional checks on the parameters passed by the kernel, accepting values such as pid, uid, creduid, and upcall_target as trustworthy. The handler then switches to the user process’s namespace, searches the system database NSS (Name Service Switch), and loads dummy libraries with root privileges.
To exploit the vulnerability, user namespaces and mount namespaces must be enabled on the system, with the cifs-utils package installed. Some distributions where exploitation is possible in the default configuration include Linux Mint Cinnamon 21.3/22.3, CentOS Stream 9 GNOME, Rocky Linux 9 Workstation, Kali Linux, AlmaLinux 9.7 Workstation, and SUSE 15 SP7/SAP 15 SP7/SAP 16. Distributions requiring the cifs-utils package for the exploit to work include Ubuntu 18.04/20.04/22.04 Desktop/Server, Pop!_OS 22.04 Intel/24.04 Generic, Ubuntu 24.04 Desktop minimal/full and Server, Debian 11/12/13 netinst standard and GNOME/KDE/standard/XFCE, CentOS Stream 9 Cinnamon/KDE/MATE/XFCE, Rocky Linux 9 KDE/Workstation-Lite, openSUSE Leap 15.6 GNOME/KDE, and openSUSE Tumbleweed GNOME/KDE.