oss-sec mailing list archives
Re: CIFSwitch: Linux kernel/cifs-utils local root via forged cifs.spnego upcall
From: manizada <manizada () pm me>
Date: Mon, 01 Jun 2026 16:29:07 +0000
This has been assigned CVE-2026-46243, see https://lore.kernel.org/linux-cve-announce/2026060140-CVE-2026-46243-3d1c@gregkh/ On Thursday, May 28th, 2026 at 12:07 AM, manizada <manizada () pm me> wrote:
Hi folks,
Emailing here now that the embargo agreed upon with linux-distros@ has expired.
Flagging a local root vulnerability spanning both CIFS in the kernel and
cifs-utils in userspace (originally reported to kernel/cifs maintainers on May 16).
The kernel-side (only) fix has now been public for over a week and is queued for stable:
3da1fdf4efbc ("smb: client: reject userspace cifs.spnego descriptions")
Impact:
Unprivileged user -> root code exec on any system where:
- cifs-utils is installed (with the default cifs.spnego rule)
- CIFS kernel module is loadable/compiled-in (typically the case), and
- unprivileged user/mount namespaces are enabled.
Some default AppArmor/SELinux profiles block this.
Bug:
An unprivileged user can call request_key("cifs.spnego", ...) with a forged
CIFS SPNEGO description. The request-key rule starts cifs.upcall as root.
cifs.upcall then trusts attacker-supplied pid, uid, creduid, and
upcall_target fields as if they came from kernel CIFS.
For upcall_target=app, affected cifs-utils versions switch into the supplied
process's namespaces and perform NSS lookup before final privilege drop.
A private mount namespace containing attacker-controlled /etc/nsswitch.conf
and libnss_*.so.2 is therefore sufficient for code execution in the root
helper.
Affected distros:
This a non-exhaustive summary of some tested distros. The full table, including
the cases where stock policy blocks exploitation (but relaxing AppArmor/SELinux/etc.
enables exploitation), is in the attachment (and in an easier-to-read format in
the writeup linked below).
Stock-default exploitable distros
(cifs-utils comes preinstalled in the profile + unprivileged namespaces permitted by default
+ the AA/SELinux policies, if any, do not block the attack):
- Linux Mint Cinnamon 21.3 and 22.3
- CentOS Stream 9 GNOME
- Rocky Linux 9 Workstation
- Kali Linux headless 2021.4/2022.4/2023.4/2024.4/2025.4/2026.1
- AlmaLinux 9.7 Workstation/Azure cloud image
- SLES 15 SP7/SAP 15 SP7/SAP 16
Exploitable if cifs-utils is installed, with no other default config changes:
- Ubuntu 18.04/20.04/22.04 Desktop/Server
- Pop!_OS 22.04 Intel/24.04 Generic
- Ubuntu 24.04 Desktop minimal/full and Server
- Debian 11/12/13 netinst standard and GNOME/KDE/standard/XFCE
- CentOS Stream 9 Cinnamon/KDE/MATE/XFCE
- Rocky Linux 9 KDE/Workstation-Lite
- openSUSE Leap 15.6 GNOME/KDE
- openSUSE Tumbleweed GNOME/KDE
- Rocky Linux 8 GenericCloud
- Oracle Linux 8/9 KVM
- Amazon Linux 2023 KVM
Immediate-term mitigations (aside from backporting the kernel fix):
- Blocking the CIFS module from loading (assuming it's not built-in)/uninstalling cifs-utils if not used
- Deleting/overriding the default cifs.spnego request-key rule (if Kerberos cifs is not required),
e.g., after adjusting for your keyctl path:
cat >/etc/request-key.d/cifs.spnego.conf <<'EOF'
create cifs.spnego * * /usr/sbin/keyctl negate %k 30 %S
EOF
- Disabling unprivileged user namespaces
The CVE # assignment is still pending.
Full writeup:
https://heyitsas.im/posts/cifswitch
PoC to validate mitigations:
https://github.com/manizada/CIFSwitch
Thanks,
-Asim Manizada
Current thread:
- CIFSwitch: Linux kernel/cifs-utils local root via forged cifs.spnego upcall manizada (May 28)
- Re: CIFSwitch: Linux kernel/cifs-utils local root via forged cifs.spnego upcall manizada (Jun 01)
