A local privilege escalation vulnerability called 'CIFSwitch' has been discovered in the Linux kernel, introduced 19 years ago in 2007. The flaw stems from the kernel's CIFS subsystem failing to verify that cifs.spnego key requests originate from the kernel's CIFS client, allowing an unprivileged user to forge requests and trigger the authentication workflow. By abusing the root-privileged cifs.upcall helper, an attacker can force a namespace switch, trigger an NSS lookup before privileges are dropped, load a malicious NSS module, and achieve root code execution. Multiple distributions are confirmed vulnerable in their default configurations, including Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, and SLES 15 SP7. A kernel patch (commit 3da1fdf) has been released, and a proof-of-concept exploit is publicly available. Mitigations include disabling the CIFS module, removing cifs-utils if unused, and disabling unprivileged user namespaces.
Sort: