A local privilege escalation vulnerability in the Linux kernel's CIFS client has been present since 2007, affects major enterprise distributions in their default configuration, and now has a working public exploit.
What CIFSwitch is
CIFSwitch is a local privilege escalation in the cifs.spnego key type, which is used by the Linux CIFS client for Kerberos-based CIFS (SMB) authentication. The bug was disclosed on May 28, 2026 by security researcher Asim Manizada via the oss-security mailing list, with a working proof-of-concept published simultaneously on GitHub.
The flaw is in how cifs.upcall handles the upcall_target=app code path. When processing a request, cifs.upcall switches into the PID namespace named by the kernel request and then calls getpwuid() to look up user information before dropping privileges. An unprivileged local attacker can control that PID reference and point cifs.upcall into an attacker-controlled namespace, causing it to load the attacker's libnss library from an attacker-mounted filesystem, executing arbitrary code as root.
The kernel has carried this logic since 2007. The specific code path requires the cifs.upcall binary from cifs-utils to be installed, which is a standard dependency for mounting CIFS shares.
Which systems are vulnerable
Distributions confirmed vulnerable in their default configurations: CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, SLES 15 SP7, Linux Mint 21.3 and 22.3, Kali Linux 2021.4 through 2026.1. Ubuntu and Fedora are reportedly not vulnerable in default configurations due to differing kernel build options, though this has not been confirmed across all versions.
Severity in context
This is a local privilege escalation, not a remote code execution. An attacker needs local access first. In the context of containerized infrastructure and multi-tenant cloud environments, however, local access is often a starting condition rather than a final barrier. A container breakout that lands an attacker in a namespace on a vulnerable host has now picked up a reliable root escalation path.
The public exploit makes this more urgent than a theoretical advisory. Patch now.
What to do
Check your distribution's security advisory for the kernel update package that includes the upstream fix (commit 3da1fdf, which adds validation of cifs.spnego request origins). If you cannot patch immediately, CloudLinux has published kernel-level mitigations. Remove or restrict the cifs-utils package on systems that do not need CIFS mounting. Monitor for unexpected cifs.upcall executions, particularly from non-root processes.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you need help prioritizing kernel patch deployments across a mixed-distribution fleet.