CIFSwitch (CVE-2026-46243) is a Linux local privilege escalation in the CIFS/SMB client's SPNEGO authentication "upcall" path — a bug that has been latent in the kernel since 2007, roughly 19 years. On an affected host, any unprivileged local user can use it to gain root in a single command. A public proof-of-concept shipped with the oss-security disclosure on May 28, 2026, and it affects multiple Linux distributions.
What the Vulnerability Is
When the kernel's CIFS client needs Kerberos/SPNEGO credentials, it makes an "upcall" to the userspace helper cifs.upcall (from cifs-utils). The flaw is that this path trusts attacker-controlled fields in the request-key description.
With upcall_target=app, cifs.upcall calls setns(2) into the namespace named by an attacker-supplied PID, then performs a getpwuid() lookup before dropping privileges. That lookup loads the attacker's libnss_*.so.2 from an attacker-controlled mount namespace and executes it as root.
The published exploit chains it cleanly: stage a private user + mount namespace containing a forged /etc/nsswitch.conf and a malicious NSS module, forge the cifs.spnego key description, let cifs.upcall load the malicious NSS module as root, write /etc/sudoers.d/<user> granting NOPASSWD: ALL, then run sudo for an unrestricted root shell.
Why It Matters
- Local user to root in one command on affected hosts, with a public PoC already available.
- Decades-old and widespread. The flawed code dates to 2007 and ships in vulnerable kernel CIFS + cifs-utils combinations across multiple distributions.
- Namespace-reachable. The chain leans on unprivileged user namespaces, which are enabled by default on many systems — turning "needs a capability" into "needs a shell."
- Highest impact on multi-tenant and shared hosts where untrusted users hold local shells.
Am I Affected?
You're exposed when all three of these are present together: the CIFS kernel module is loadable, the cifs-utils package is installed (the exploit targets vulnerable kernel CIFS + cifs-utils, notably 6.14 and higher, with some older variants also affected), and the cifs.spnego request-key rule is active — typically alongside permitted unprivileged user namespaces. Remove or disable any one of the three and the chain breaks. Red Hat tracks this as RHSB-2026-005.
Remediation
Patch the kernel
The fix adds validation of cifs.spnego request origins (upstream commit 3da1fdf). Install your distribution's patched kernel (Red Hat, CloudLinux, Rocky, and others have published advisories) and reboot.
If you can't patch immediately, break the chain
Because all three components must be present, disabling any one mitigates the bug on hosts that don't need CIFS:
# Blacklist the CIFS module if you don't mount SMB/CIFS shares
echo "blacklist cifs" > /etc/modprobe.d/blacklist-cifs.conf
# Or remove the userspace helper package if unneeded (Debian/Ubuntu example)
apt-get remove cifs-utilsYou can also deactivate the cifs.spnego request-key rule, and restrict unprivileged user namespaces (sysctl -w kernel.unprivileged_userns_clone=0) where workloads don't require them.
Prioritize shared hosts
Patch any system that grants local shells to untrusted or semi-trusted users first — shared hosting, CI runners, container hosts, and jump boxes.
Quick-Win Checklist
- Install the patched kernel that cites CVE-2026-46243 and reboot.
- If unpatched and CIFS is unused: blacklist the
cifsmodule and/or removecifs-utils. - Disable the
cifs.spnegorequest-key rule where it isn't needed. - Restrict unprivileged user namespaces where workloads don't require them.
- Patch multi-tenant and shell-granting hosts first.
- Confirm you don't depend on CIFS mounts before disabling the module.
Sources
- BleepingComputer: New CIFSwitch Linux flaw gives root on multiple distributions
- Red Hat: RHSB-2026-005 CIFS Upcall Privilege Escalation (CVE-2026-46243) "CIFSwitch"
- CloudLinux: CIFSwitch (CVE-2026-46243) Mitigation and Kernel Update
- Threat-Modeling.com: CIFSwitch 19-Year-Old Linux Kernel Privilege Escalation
