HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Local Privilege Escalation “CIFSwitch” Gives Root on Major Linux Distributions

A newly disclosed Linux kernel flaw, CIFSwitch, lets unprivileged users forge CIFS SPNEGO key requests and gain root privileges on several popular distributions. The issue impacts cloud‑hosted and on‑prem Linux workloads, making rapid patching essential for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 31, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Local Privilege Escalation “CIFSwitch” Gives Root on Major Linux Distributions

What Happened – Researchers disclosed a new Linux kernel flaw, dubbed CIFSwitch, that lets an unprivileged user forge CIFS SPNEGO key requests, abuse the kernel’s key‑request mechanism, and obtain root privileges. The vulnerability affects multiple Linux distributions that ship vulnerable kernel CIFS and cifs‑utils versions (≥ 6.14).

Why It Matters for TPRM

- Any third‑party service that runs on affected Linux hosts (cloud VMs, SaaS back‑ends, on‑prem servers) could be compromised by a malicious insider or a breached user.

- Root compromise enables attackers to bypass existing security controls, install persistence mechanisms, and exfiltrate data from downstream services.

- Patch cycles vary across vendors; some widely‑used distros remain vulnerable in default configurations.

Who Is Affected – Cloud‑hosted workloads, SaaS platforms, managed service providers, and any organization that relies on Linux distributions such as Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, SLES 15 SP7, Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, etc.

Recommended Actions

- Inventory all Linux assets and verify kernel and cifs‑utils versions.

- Apply vendor‑supplied patches or upgrade to kernel 6.15+ where available.

- If immediate patching isn’t possible, mitigate by disabling CIFS mounts that use Kerberos/SPNEGO or enforcing SELinux/AppArmor policies that block the cifs.upcall helper.

- Review privileged‑access monitoring and enforce least‑privilege for local accounts.

Technical Notes – The flaw resides in the CIFS subsystem’s handling of cifs.spnego key requests. An attacker can craft a malicious request, trigger a namespace switch, and load a malicious NSS module before privileges are dropped, achieving root code execution. Exploitation requires a vulnerable kernel, matching cifs‑utils, user namespaces enabled, and permissive SELinux/AppArmor policies. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →