Hi folks,
Emailing here now that the embargo agreed upon with linux-distros@ has expired.
Flagging a local root vulnerability spanning both CIFS in the kernel and
cifs-utils in userspace (originally reported to kernel/cifs maintainers on May
16).
The kernel-side (only) fix has now been public for over a week and is queued
for stable:
3da1fdf4efbc ("smb: client: reject userspace cifs.spnego descriptions")
Impact:
Unprivileged user -> root code exec on any system where:
- cifs-utils is installed (with the default cifs.spnego rule)
- CIFS kernel module is loadable/compiled-in (typically the case), and
- unprivileged user/mount namespaces are enabled.
Some default AppArmor/SELinux profiles block this.
Bug:
An unprivileged user can call request_key("cifs.spnego", ...) with a forged
CIFS SPNEGO description. The request-key rule starts cifs.upcall as root.
cifs.upcall then trusts attacker-supplied pid, uid, creduid, and
upcall_target fields as if they came from kernel CIFS.
For upcall_target=app, affected cifs-utils versions switch into the supplied
process's namespaces and perform NSS lookup before final privilege drop.
A private mount namespace containing attacker-controlled /etc/nsswitch.conf
and libnss_*.so.2 is therefore sufficient for code execution in the root
helper.
Affected distros:
This a non-exhaustive summary of some tested distros. The full table,
including
the cases where stock policy blocks exploitation (but relaxing
AppArmor/SELinux/etc.
enables exploitation), is in the attachment (and in an easier-to-read format
in
the writeup linked below).
Stock-default exploitable distros
(cifs-utils comes preinstalled in the profile + unprivileged namespaces
permitted by default
+ the AA/SELinux policies, if any, do not block the attack):
- Linux Mint Cinnamon 21.3 and 22.3
- CentOS Stream 9 GNOME
- Rocky Linux 9 Workstation
- Kali Linux headless 2021.4/2022.4/2023.4/2024.4/2025.4/2026.1
- AlmaLinux 9.7 Workstation/Azure cloud image
- SLES 15 SP7/SAP 15 SP7/SAP 16
Exploitable if cifs-utils is installed, with no other default config changes:
- Ubuntu 18.04/20.04/22.04 Desktop/Server
- Pop!_OS 22.04 Intel/24.04 Generic
- Ubuntu 24.04 Desktop minimal/full and Server
- Debian 11/12/13 netinst standard and GNOME/KDE/standard/XFCE
- CentOS Stream 9 Cinnamon/KDE/MATE/XFCE
- Rocky Linux 9 KDE/Workstation-Lite
- openSUSE Leap 15.6 GNOME/KDE
- openSUSE Tumbleweed GNOME/KDE
- Rocky Linux 8 GenericCloud
- Oracle Linux 8/9 KVM
- Amazon Linux 2023 KVM
Immediate-term mitigations (aside from backporting the kernel fix):
- Blocking the CIFS module from loading (assuming it's not
built-in)/uninstalling cifs-utils if not used
- Deleting/overriding the default cifs.spnego request-key rule (if Kerberos
cifs is not required),
e.g., after adjusting for your keyctl path:
cat >/etc/request-key.d/cifs.spnego.conf <<'EOF'
create cifs.spnego * * /usr/sbin/keyctl negate %k 30 %S
EOF
- Disabling unprivileged user namespaces
The CVE # assignment is still pending.
Full writeup:
https://heyitsas.im/posts/cifswitch
PoC to validate mitigations:
https://github.com/manizada/CIFSwitch
Thanks,
-Asim ManizadaA) Stock-exploitable (cifs-utils already present; AA/SELinux/etc. do not stop
the attack)
Distro/version/image cifs-utils installed by default? Default-policy
PoC result (cifs-utils installed) Non-default PoC result
Linux Mint 21.3/22.3 Cinnamon yes Exploitable with AA active, direct
unshare Same
CentOS Stream 9 GNOME yes Exploitable with SELinux enforcing Same
Rocky Linux 9 Workstation yes Exploitable with SELinux enforcing
Same
Kali Linux 2021.4/2022.4/2023.4/2024.4/2025.4/2026.1 headless installer yes
Exploitable with AA active, direct unshare Same
AlmaLinux 9.7 Workstation/Azure cloud image recipe yes Exploitable
with SELinux enforcing Same
SLES 15 SP7/SAP 15 SP7 yes Exploitable with AA active, direct unshare
Same
SLES SAP 16 yes Exploitable SELinux permissive Same
B) Stock-policy exploitable if cifs-utils is installed
Distro/version/image cifs-utils installed by default? Default-policy
PoC result (cifs-utils installed) Non-default PoC result
Ubuntu 18.04/20.04/22.04 Desktop/Server no Exploitable with AA active,
direct unshare Same
Pop!_OS 22.04 Intel/24.04 Generic no Exploitable with AA active,
direct unshare Same
Ubuntu 24.04 Desktop minimal/full and Server no Direct unshare is
blocked by AppArmor userns policy; exploitable through aa-exec -p trinity
Direct unshare works after AppArmor userns sysctls are relaxed
Debian 11/12/13 netinst standard and GNOME/KDE/standard/XFCE no
Exploitable with AA active, direct unshare Same
CentOS Stream 9 Cinnamon/KDE/MATE/XFCE no Exploitable with SELinux
enforcing Same
Rocky Linux 9 KDE/Workstation-Lite no Exploitable with SELinux
enforcing Same
openSUSE Leap 15.6 GNOME/KDE no Exploitable with AA active, direct
unshare Same
Rocky Linux 8 GenericCloud no Exploitable with SELinux enforcing
Same
Oracle Linux 8/9 KVM no Exploitable with SELinux enforcing Same
Amazon Linux 2023 KVM no Exploitable with SELinux permissive Same
C) Rest: blocked by stock policy
Distro/version/image cifs-utils installed by default? Default-policy
PoC result (cifs-utils installed) Non-default PoC result
Ubuntu 26.04 Desktop minimal/full and Server no PoC blocked by AppArmor
userns policy Exploitable after AppArmor userns sysctls are relaxed
Fedora 40/41/42/43/44 Workstation/Server yes PoC blocked by SELinux
enforcing Exploitable after setenforce 0
CentOS Stream 10 GNOME yes PoC blocked by SELinux enforcing
Exploitable after setenforce 0
CentOS Stream 10 KDE no PoC blocked by SELinux enforcing
Exploitable after setenforce 0
Rocky Linux 10 Workstation yes PoC blocked by SELinux enforcing
Exploitable after setenforce 0
Rocky Linux 10 KDE/Workstation-Lite no PoC blocked by SELinux
enforcing Exploitable after setenforce 0
AlmaLinux 10.1 Workstation/Azure cloud image recipe yes PoC blocked by
SELinux enforcing Exploitable after setenforce 0
Oracle Linux 10 KVM no PoC blocked by SELinux enforcing
Exploitable after setenforce 0
openSUSE Tumbleweed GNOME/KDE yes PoC blocked by SELinux enforcing
Exploitable after setenforce 0
openSUSE Leap 16.0 OEM GNOME/KDE yes PoC blocked by SELinux
enforcing Exploitable after setenforce 0
openSUSE Leap 16.0 Minimal-VM no PoC blocked by SELinux enforcing
Exploitable after setenforce 0
SLES 16 yes PoC blocked by SELinux enforcing Exploitable after
setenforce 0
D) Unaffected
Distro/version/image cifs-utils installed by default? Default-policy
PoC result (cifs-utils installed) Non-default PoC result
Amazon Linux 2 KVM no Unaffected by this PoC: cifs-utils 6.2 lacks
the namespace-switch sink N/A
Kali Linux 2019.4/2020.4 yes Unaffected by this PoC after userns
relaxation: cifs-utils 6.9 lacks the namespace-switch sink N/A
