CIFSwitch is a local privilege escalation vulnerability in the Linux kernel's CIFS subsystem that allows an unprivileged local attacker to forge cifs.spnego key requests. The kernel fails to verify that these requests originate from the kernel's CIFS client, enabling attackers to trick the root-privileged cifs.upcall helper into trusting attacker-controlled data. By abusing this flaw to force a namespace switch and trigger a Name Service Switch (NSS) lookup before dropping privileges, an attacker can load a malicious NSS module and execute code with root privileges. The vulnerability affects multiple Linux distributions shipping vulnerable kernel and cifs-utils versions, especially when Kerberos/SPNEGO authentication is used for CIFS shares. The flaw was introduced in 2007 and exploitation depends on several conditions including user namespaces and SELinux/AppArmor policies. An upstream kernel patch (commit 3da1fdf) adds validation of cifs.spnego request origins to fix the issue. Users are advised to apply distribution-specific kernel updates, disable or blacklist the CIFS module if unused, remove cifs-utils if unnecessary, and disable unprivileged user namespaces. A proof-of-concept exploit has been published to test mitigations.

Successful exploitation of CIFSwitch allows a local unprivileged user to escalate privileges to root on affected Linux systems. This can lead to full system compromise. The vulnerability impacts multiple Linux distributions with vulnerable kernel and cifs-utils versions, particularly when CIFS shares use Kerberos/SPNEGO authentication. Exploitation requires specific conditions such as enabled user namespaces and permissive SELinux/AppArmor policies. Some distributions have default security settings that prevent exploitation. The flaw has existed since 2007, increasing the potential exposure window. No known exploits in the wild have been reported at the time of disclosure.

A kernel patch fixing CIFSwitch has been released upstream (commit 3da1fdf) and is included in various distribution updates; users should apply the latest kernel updates from their Linux distribution vendors to remediate the vulnerability. Additionally, users should disable or blacklist the CIFS kernel module if it is not in use, remove the cifs-utils package if unnecessary, and disable unprivileged user namespaces to reduce attack surface. Some distributions' default SELinux/AppArmor policies may already mitigate exploitation. Organizations should consult their vendor advisories for exact patched kernel versions and apply those updates accordingly. The published proof-of-concept exploit can be used to verify the effectiveness of applied patches and mitigations.