Another Vulunerabilty found in Kernel: “CIFSwitch" allowing attackers to gain root access

Lounge Linux lounge
1

The Hits just keep on coming. This is the fourth Linux kernel privilege escalation in just a couple of weeks, Copy Fail, Dirty Frag and Fragnesia. This exploit does not rely on memory corruption (no buffer overflows) nor on any race conditions but purely on a logic flaw in authorization.

CIFSwitch -
A Linux local privilege escalation (LPE) vulnerability, “CIFSwitch” enables low-privileged users to gain root access by abusing a logic flaw between the Linux kernel CIFS client and the userspace cifs-utils package.

Any unprivileged local user can use it to gain root in a single command.

The vulnerability was found using an AI-assisted multihop reasoning approach that builds and walks semantic graphs of security-relevant objects and flows, enabling the chaining of subtle logic flaws into a practical exploit. The underlying kernel bug traces back to 2007. However, successful exploitation requires several conditions:

  • A vulnerable kernel, a compatible cifs-utils version (notably 6.14+ or older builds with backported changes), and unprivileged user namespace creation.
  • Linux Security Module (LSM) policies such as SELinux or AppArmor that do not block the attack path.
  • Testing shows that many mainstream distributions are exploitable out of the box when cifs-utils is present. In contrast, others are only exploitable after installing cifs-utils or relaxing default LSM policies.

Mitigation

  • To prevent this hack, uninstall and disable cifs related packages, especially if you do not use them.
  • Blocking the CIFS module from loading in the kernel
  • Disable unprivileged user namespaces. Unprivileged user namespaces are required by rootless containers (Podman rootless, rootless Docker, bwrap flatpaks, several CI sandboxes), unprivileged unshare(1), and Chromium’s sandbox. Possibly Firefox also uses it.

This is one more reason for running a lean and mean arch/eos install with removing all the not required packages and services.

No CVE has been allocated as of now.

Further Reading:

2

Not sure if the Linux Kernel is patched or not.

3

CIFS module is not built inside EOS Linux Kernel. But the module can still be loaded external

$ cat /lib/modules/$(uname -r)/modules.builtin | grep "cifs"
$
$ cat /lib/modules/$(uname -r)/modules.builtin | \grep "cifs"
$
$  modinfo cifs
filename:       /lib/modules/7.0.8-arch1-1/kernel/fs/smb/client/cifs.ko.zst
softdep:        gcm
softdep:        ccm
softdep:        aead2
softdep:        cmac
softdep:        aes
softdep:        nls
softdep:        ecb
version:        2.59
description:    VFS to access SMB3 servers e.g. Samba, Macs, Azure and Windows (and also older servers complying with the SNIA CIFS Specification)
license:        GPL
author:         Steve French
alias:          smb3
alias:          fs-smb3
alias:          fs-cifs
...
...
4

So, if the module is not loaded “by default” an unprivileged local user can not possibly exploit the vulnerability, can they?

5

No. If the module is not loaded by default or not built into the Linux kernel, then the module can still be loaded and the exploit can be had. insmod and/or modprobe can be used for this.

Just that the task becomes harder.

6

But for that, for being able to load the module, the local user must already be privileged .
Therefore, any unprivileged local user cannot possibly use insmod or modprobe to load the module to begin with.

7

In EOS/Arch uninstalling cifs-utils package will lead to impact on smbclient. As smbclient has a hard dependency on cifs-utils package. And without smbclient, samba package will not work. Again a hard dependency between samba package and smbclient package. So tread carefully.

CIFS-UTILS package details
CIFS-UTILS package details1558×1058 259 KB

Showing hard Dependency between sambaclient and cifs-utils package
Showing hard Dependency between sambaclient and cifs-utils package1558×1058 273 KB

8

The linux patch is on its way, being worked on 7.1rc5.

9

I cannot confirm or refute this statement. Maybe if unprivileged user namespaces are used then maybe it can be done. Or maybe it cannot be done.

Or it is not possible that there exists any scenario in which a unprivileged local user can execute the insmod or modprobe commands or call the relevant c system calls from libraries directly or in a shell script or a program.

Sorry. :pensive_face:

10

The name CIFS comes from the old and obsolete samba protocol SMB1 (Common Internet File System). Linux still uses this name to mount samba shares (e.g. with mount.cifs). In the mount options you specify the newer SMB2 and SMB3 protocols with option vers=2.0 or vers=3.0.
Therefore, samba on Linux does not work without the CIFS module

11

One point that stuck me. The person who found this did not test it with Arch or any Arch derived distro. Why is that so? Also the same was observed in the earlier 3 LPE vulnerabilities too. Why is Arch being avoided? Is there some thing going on over here?

So the following were tested to be vulnerable out of box

  1. Linux Mint 21.3/22.3 Cinnamon
  2. Rocky Linux 9 Workstation
  3. Kali Linux 2021.4/2022.4/2023.4/2024.4/2025.4/2026.1
  4. AlmaLinux 9.7 Workstation/Azure cloud image recipe
  5. SLES 15 SP7/SAP 15 SP7

The distros given below became vulnerable once cifs-utils is installed

  1. Ubuntu 18.04/20.04/22.04 Desktop/Server
  2. Pop!_OS 22.04 Intel
  3. Ubuntu 24.04 Desktop minimal/full and Server
  4. Debian 11/12/13
  5. Rocky Linux 9 KDE/Workstation-Lite
  6. openSUSE Leap 15.6 GNOME/KDE
  7. Oracle Linux 8/9 KVM
  8. Amazon Linux 2023 KVM

While the following are immune

  1. Amazon Linux 2 KVM
  2. Kali Linux 2019.4/2020.4
12

Yep and attempting to remove cifs-utils also does not work. It throws an error.

$
$ sudo pacman -Rn cifs-utils
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: removing cifs-utils breaks dependency 'cifs-utils' required by smbclient
$
$ sudo pacman -Rn smbclient
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: removing smbclient breaks dependency 'smbclient' required by kio-extras
:: removing smbclient breaks dependency 'smbclient>=4.24.2' required by samba
$
$ sudo pacman -Rn samba
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: removing samba breaks dependency 'samba' required by kdenetwork-filesharing
$

So for mitigation there are only three ways,
Firstly is to block the cifs modules from being loaded into the kernel.
Second is to disable unprivileged user namespaces (Will impact a lot)
Finally is to ovverride the cifs.spnego Request-Key Rule

13

The only reason i can think of is maybe because arch is a rolling distro, therefore has no versions? like it can look different everyday, as stuff gets updated constantly. if they want to test, they also want to provide a version it has been tested on. arch has no version, therefore what will they say what version is vulnerable? they could only say time and date maybe but thats it. but you could also argue that depending on what you install with it, can make a difference again as you can build arch almost how you want (bit like gentoo i think, which also isnt listed)

14

In addition to what @Mellow said :up_arrow: there is no standard installation of Arch Linux in same way as for those distros tested. It is highly likely that many install Arch without cifs-utils, if they have no need for samba or the packages that require it.

15

EOS has cifs-utils installed. I’m not using samba.

Edit: Samba is installed though.

16
  1. Remove KDE Plasma :wink: :winking_face_with_tongue:
17

yep Artix too and I am also not using Samba.

Naam                       : cifs-utils
Versie                     : 7.5-1
Beschrijving               : CIFS filesystem user-space tools
Architectuur               : x86_64
URL                        : https://wiki.samba.org/index.php/LinuxCIFS_utils
Licenties                  : GPL-3.0-or-later
Groepen                    : Geen
Voorziet                   : Geen
Is afhankelijk van         : keyutils  krb5  pam  libcap-ng  libwbclient  talloc
Optionele afhankelijkheden : python: for smb2-quota and smbinfo script [geïnstalleerd]
Vereist door               : smbclient
Optioneel voor             : Geen
Conflicteert met           : Geen
Vervangt                   : Geen
Geïnstalleerde grootte     : 287,67 KiB
Packager                   : Nathan <ndowens@artixlinux.org>
Creatiedatum               : do 12 mrt 2026 09:09:08 CET
Installatiedatum           : ma 20 apr 2026 00:20:53 CEST
Installatiereden           : Geïnstalleerd als afhankelijkheid voor ander pakket
Installatiescript          : Nee
Gevalideerd door           : Handtekening
18

You’re a KDE user and kio-extras is part of the default :enos: KDE packages. I installed Xfce without gvfs-smb and don’t have cif-utils installed.

In any case, you’ll be told over at https://bbs.archlinux.org that :enos: is not Arch Linux :winking_face_with_tongue:

19

Wait What? EOS is not Arch? Why?

20

Because EndeavourOS is an Arch-based distribution so not Arch.