19-Year-Old Linux Kernel CIFSwitch Vulnerability Enables Root Privilege Escalation Across Major Distributions

19-Year-Old Linux Kernel Flaw Enables Root Privilege Escalation via CIFS Subsystem

A newly disclosed Linux kernel vulnerability, known as CIFSwitch, has been found to exist for nearly 19 years and allows low-privileged users to escalate privileges to root on affected systems. Security researchers have also confirmed the release of proof-of-concept exploit code, increasing the urgency for patching and mitigation.

How the CIFSwitch vulnerability works

The flaw resides in the Linux kernel’s CIFS (Common Internet File System) subsystem, which is used to handle SMB network file operations such as mounting shares, reading and writing data, and managing communication with SMB servers. It also involves the cifs-utils userspace helper responsible for authentication tasks.

During authentication, the subsystem issues a request_key call for a cifs.spnego key, which is then processed in userspace through a root-level helper called cifs.upcall. This helper parses a key description containing data such as user IDs, process IDs, credential cache information, and namespace details.

Researchers explain that the kernel fails to properly verify the origin of these key descriptions. This allows attackers to directly invoke request_key with a crafted key description, bypassing CIFS validation mechanisms.

Because the cifs.upcall helper runs with root privileges, it can be tricked into switching into attacker-controlled process namespaces, ultimately enabling full root access on the system.

Exploitation technique and impact

The attack becomes more powerful due to how the helper handles system lookups before dropping privileges. It interacts with the Name Service Switch (NSS), which can load external modules during execution.

Attackers can exploit this behavior by placing malicious NSS configuration files and modules inside their own namespace. When the helper executes, it may load attacker-controlled code with root privileges, effectively escalating access.

Affected systems and distributions

The vulnerability affects a wide range of Linux distributions, including certain configurations of Linux Mint, CentOS, Rocky Linux, Kali Linux, AlmaLinux, and SLES SAP editions where cifs-utils is installed by default or added manually.

However, some distributions such as Ubuntu, Fedora, Oracle Linux, openSUSE, and newer versions of CentOS, Rocky Linux, AlmaLinux, and SLES are generally not impacted due to default execution path restrictions. Additionally, Amazon Linux 2 KVM and older Kali Linux versions are reported as not affected.

Mitigation and response

The issue has been addressed by major Linux distributions, which have released patches earlier this month. Security researchers emphasize the importance of updating systems promptly, especially in environments where CIFS/SMB file sharing is enabled.

The researcher who discovered the flaw has also published proof-of-concept exploit code to help security teams validate patches, test mitigations, and assess exposure in their environments.

Experts warn that CIFSwitch demonstrates how long-standing kernel design assumptions can still lead to severe privilege escalation risks when improperly validated.