HIGH
CIFSwitch
CVE-2026-46243
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.
02KernelScan AI Analysis
Risk summary
Unprivileged local users on systems with cifs-utils and user namespaces enabled can escalate to root by crafting a malicious cifs.spnego upcall. A public proof-of-concept exploit is available. Many distributions are exploitable by default unless SELinux/AppArmor rules explicitly block the attack.
Vulnerability analysis
Summary: A local attacker can trigger a forged request-key upcall to gain root privileges.
Root Cause: cifs.upcall (userspace helper running as root) trusts attacker-supplied pid, uid, creduid, and upcall_target fields from the kernel's cifs.spnego description without validation. By providing upcall_target=app, the helper switches into the attacker's namespaces and performs NSS lookup before dropping privileges, loading attacker-controlled libraries from a private mount namespace.
Attack Surface: Any unprivileged user with the ability to create user and mount namespaces (typically enabled on many distributions) can exploit this when cifs-utils is installed and the CIFS kernel module is available.
Fix Mechanism: The kernel fix (commit 3da1fdf4efbc) rejects forged cifs.spnego descriptions coming from userspace, preventing the attack at the source.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 7713bd320ed4 |
| 5.15 | 5.15.209 | 9544559e5943 |
| 6.1 | 6.1.175 | cf20038657d6 |
| 6.12 | 6.12.92 | a3bbda6502a9 |
| 6.18 | 6.18.34 | 91f89c1d83e8 |
| 6.6 | 6.6.142 | 2035acfb1722 |
| 7.0 | 7.0.11 | 0aece6685fc8 |
| mainline | 7.1-rc5 | 3da1fdf4efbc |