19‑Year‑Old Linux Kernel Privilege‑Escalation (CIFSwitch) Discovered by SpaceX Engineer Threatens Servers Across Major Distros
What Happened – Researchers at SpaceX uncovered a logic flaw in the Linux CIFS client (CIFSwitch) that allows an unprivileged user to forge CIFS authentication keys and gain root privileges. The bug has existed in the kernel since 2007 and affects popular distributions such as Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, and SLES 15.
Why It Matters for TPRM –
- The vulnerability can be exploited on any Linux host that mounts Kerberos‑protected CIFS shares, a common configuration in cloud, SaaS, and on‑prem environments.
- Attackers can achieve full system compromise without needing prior code execution, bypassing traditional endpoint controls.
- Patch cycles for many enterprise‑grade distros are still pending, leaving third‑party services exposed.
Who Is Affected – Cloud‑service providers, managed‑service providers, SaaS platforms, and any organization that runs Linux servers with CIFS/Kerberos mounts (tech, finance, healthcare, research, etc.).
Recommended Actions –
- Inventory all Linux assets that use CIFS/Kerberos mounts and verify kernel version.
- Apply the upstream patches released by the Linux kernel maintainers (kernel 6.6.12+).
- If immediate patching is not possible, disable CIFS mounts or enforce strict keyring policies.
- Review third‑party contracts for Linux‑host security clauses and confirm remediation timelines.
Technical Notes – The flaw resides at the intersection of the CIFS client’s cifs.spnego key type and the cifs.upcall helper. An attacker can craft a malicious key description that forces cifs.upcall (running as root) to execute in the attacker’s namespace, ultimately invoking getpwuid() via NSS and escalating to root. No CVE number was assigned at time of writing; the issue is tracked as a kernel logic bug (CVE‑2026‑XXXX pending). Source: Security Affairs