Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
New Linux Kernel Flaw ‘CIFSwitch’ Threatens Security

New Linux Kernel Flaw ‘CIFSwitch’ Threatens Security

Posted on May 28, 2026 By CWS

A recent vulnerability in the Linux kernel, identified as ‘CIFSwitch’, poses a significant security risk by allowing low-privileged users to obtain root access. This issue arises from a logic flaw between the Linux kernel’s CIFS client and the userspace cifs-utils package.

Discovery and Technical Details

The vulnerability was uncovered by security researcher Asim Manizada, who has provided a detailed analysis and proof-of-concept (PoC) to aid in the assessment of exposure and validation of patches. The problem originates from inadequate validation of key descriptions in the CIFS.Spnego key type, enabling unprivileged users to impersonate privileged kernel requests.

An AI-assisted, multihop reasoning approach was used to discover the flaw, which involves creating semantic graphs of security-relevant objects and flows. This technique allows for the chaining of minor logic flaws into an effective exploit.

Impact and Exploitation

The vulnerability was disclosed following an embargo with Linux distributions, and kernel patches are now available. CIFS/SMB, a Windows-style network filesystem protocol on Linux, is affected, as the kernel CIFS client handles essential filesystem operations while Kerberos/SPNEGO authentication is managed by the root-privileged cifs-upcall provided by cifs-utils.

The kernel’s request_key() call for CIFS.Spnego keys passes a trusted description string with server, UID, PID, and namespace target parameters. However, Manizada’s research revealed that the kernel did not ensure the origin of these descriptions before treating them as trusted.

Security Measures and Recommendations

Exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.

The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred. This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.

Administrators are urged to implement backported kernel patches swiftly and consider further security measures. These include disabling unused CIFS features, removing cifs-utils, refining request-key rules for CIFS.Spnego, and limiting unprivileged user namespaces to bolster security.

For ongoing updates on this and other security issues, follow us on Google News, LinkedIn, and X.

Cyber Security News Tags:cifs-utils, CIFSwitch, Cybersecurity, IT security, kernel vulnerability, Linux kernel, Linux security, privilege escalation, root access, security flaw

Post navigation

Previous Post: Geordie Secures $30M to Enhance AI Governance
Next Post: GreyVibe Hackers Leverage AI for Advanced Cyber Threats

Related Posts

NVIDIA Triton Vulnerability Chain Let Attackers Take Over AI Server Control NVIDIA Triton Vulnerability Chain Let Attackers Take Over AI Server Control Cyber Security News
PoisonSeed Phishing Kit Bypasses MFA to Acquire Credentials from Individuals and Organizations PoisonSeed Phishing Kit Bypasses MFA to Acquire Credentials from Individuals and Organizations Cyber Security News
Microsoft Windows 11 October Update Breaks Localhost (127.0.0.1) Connections Microsoft Windows 11 October Update Breaks Localhost (127.0.0.1) Connections Cyber Security News
First AI Ransomware ‘PromptLock’ Uses OpenAI gpt-oss-20b Model for Encryption First AI Ransomware ‘PromptLock’ Uses OpenAI gpt-oss-20b Model for Encryption Cyber Security News
Navigating APTs – Singapore’s Cautious Response to State-Linked Cyber Attacks Navigating APTs – Singapore’s Cautious Response to State-Linked Cyber Attacks Cyber Security News
FortiWeb Authentication Bypass Vulnerability Let Attackers Log in As Any Existing User FortiWeb Authentication Bypass Vulnerability Let Attackers Log in As Any Existing User Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security
  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security
  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access
  • Old Microsoft UEFI Shims Pose Secure Boot Risk
  • July 2026 SAP Security Updates Address Critical Flaws

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark