On May 28, 2026, researcher Asim Manizada disclosed a privilege escalation bug that had been sitting in the Linux kernel since 2007. It’s called CIFSwitch, it carries the identifier CVE-2026-46243 (assigned June 1), and it lets any unprivileged local user pop a root shell. Nineteen years with the hole wide open and nobody had spotted it.
What it is
The flaw lives in fs/smb/client/cifs_spnego.c, the CIFS module code that handles Kerberos/SPNEGO authentication on the client side. When the kernel needs a Kerberos ticket to mount a CIFS share, it builds a cifs.spnego key and fires an upcall to the privileged cifs.upcall helper. The trouble is that part of that key’s description (pid, uid, creduid and the upcall target) can be forged from user space.
The attack works like this: a user calls request_key(2) with a crafted cifs.spnego description, supplying attacker-controlled values for pid, uid, creduid and upcall_target. The kernel then invokes cifs.upcall with those forged values. Combined with a controlled user namespace, the helper ends up running getpwuid() and loads a malicious NSS library, already running as root. From there, arbitrary code execution with full privileges.
Who it affects
Three conditions have to coexist on the machine for the exploit to work:
- cifs-utils installed, versions 6.14 or later.
- Unprivileged user namespaces enabled (
kernel.unprivileged_userns_clone=1). - CIFS kernel module loaded.
Where all three hold, a single command takes you from a normal account to root. Affected distributions include Red Hat, Ubuntu, Debian, SUSE, Oracle Linux and Amazon Linux, depending on each system’s configuration. The researcher published a proof of concept on GitHub the same day as the disclosure, so the code is already out there.
Severity
This is a local privilege escalation to root, with no user interaction and no prior authentication beyond holding an account on the system. On multi-user servers, shared hosts, or any box where an attacker already has a low-privilege foothold, the jump to root is direct. The bug being 19 years old means the historical exposure is huge: any system with that package combination has been vulnerable for nearly two decades.
Mitigation
Patched kernels reached production repositories on June 2, 2026. The priority is to apply the kernel updates through your distribution’s package manager and reboot. If you need to avoid a reboot, KernelCare and TuxCare offer live patches.
Until you can patch, any of these measures cuts the vector:
- Disable unprivileged user namespaces.
- Unload the CIFS module if you don’t use it.
- Remove cifs-utils.
For detection, watch for request_key() calls carrying suspicious cifs.spnego descriptions. If you run Debian or Ubuntu fleets and want to read about another recent root escalation in the kernel, see CrackArmor: AppArmor and the root escalation in the Linux kernel.