New CIFSwitch Linux flaw gives root on multiple distributions

A local privilege escalation flaw named CIFSwitch in the Linux kernel allows attackers to forge CIFS authentication key descriptions and exploit the kernel's key request mechanism to achieve root access. The vulnerability affects multiple Linux distributions that use vulnerable kernel versions.

The attack chain begins with a local attacker manipulating CIFS (Common Internet File System) authentication key descriptions. CIFS, used for network file sharing on Linux systems, relies on the kernel's key management subsystem to store and retrieve credentials. An attacker with local system access can forge these key descriptions to trick the kernel into granting elevated privileges.

The vulnerability exploits how the kernel handles key requests through its request-response mechanism. By crafting malicious requests, an attacker bypasses normal authentication checks and gains root-level permissions. This gives complete system control, allowing installation of backdoors, data theft, or lateral movement to connected systems.

CIFSwitch poses a significant risk to multi-user Linux systems where untrusted users have local access. Server environments, shared hosting platforms, and containerized deployments face particular exposure. Even systems where users shouldn't have local access remain vulnerable if attackers obtain low-privilege code execution through other means like web application exploits.

The impact spans enterprise Linux distributions including Red Hat Enterprise Linux, CentOS, Debian, and Ubuntu. Systems administrators should prioritize patching affected kernel versions. The Linux kernel community has developed fixes that should be incorporated into distribution updates.

Organizations using Linux infrastructure should verify their kernel versions against patch availability from their distribution vendors. Testing patches in non-production environments before deployment remains essential due to kernel stability concerns. Limiting local access through proper user management, disabling unnecessary services, and removing shell access from service accounts reduces the attack surface when patches cannot be immediately deployed.