New Linux Flaw Exploits Multiple Distributions with Root Access
A Critical Vulnerability has been Identified in the Linux Kernel
A critical vulnerability has been discovered in the Linux kernel, known as CIFSwitch, that allows attackers to escalate privileges and gain root access on multiple Linux distributions.
The Flaw Affects Various Linux Systems
The vulnerability affects various Linux systems, including:
- Linux Mint 21.3
- CentOS Stream 9
- Rocky Linux 9
- AlmaLinux 9
- Ubuntu (certain versions)
- Debian (certain versions)
- Pop!_OS (certain versions)
- openSUSE (certain versions)
- Oracle Linux (certain versions)
- Amazon Linux (certain versions)
Cause of the Vulnerability
The vulnerability was caused by a failure in the Linux kernel’s CIFS subsystem to verify the origin of cifs.spnego key requests.
According to the researchers who discovered the flaw, “An unprivileged user can create a forged cifs.spnego request, triggering the normal authentication workflow and allowing them to load a malicious Name Service Switch (NSS) module, ultimately leading to root code execution.”
Patches and Mitigations Available
To address the vulnerability, users are advised to:
- Disable or blacklist the CIFS module if unused
- Remove the cifs-utils package if unnecessary
- Disable unprivileged user namespaces
A proof-of-concept exploit for CIFSwitch has been published to aid organizations in validating the effectiveness of applied patches and mitigations.
Notable Immune Distributions
Some distributions, such as:
- Ubuntu 26.04
- Fedora 40-44
- openSUSE Leap 16
are immune to the vulnerability due to default SELinux/AppArmor settings preventing the attack.