## https://sploitus.com/exploit?id=4844D9DA-C29D-5877-9267-D476E4320671
# cifswitch-check
A shell script to check whether a Linux system is exposed to **CIFSwitch (CVE-2026-46243)** โ a local privilege escalation vulnerability in the Linux kernel's CIFS/SMB client that has been present since 2007.
Runs on bare-metal hosts, VMs, and inside containers. Designed to drop straight into CI/CD pipelines.
---
## Background
CIFSwitch was disclosed on 28 May 2026 by security researcher [Asim Manizada](https://heyitsas.im/posts/cifswitch/). The flaw chains a missing input validation in the kernel's `cifs.spnego` key type with the rootful `cifs.upcall` helper from `cifs-utils`.
An unprivileged local user can call `request_key()` with a forged key description, causing the kernel to invoke `cifs.upcall` as root with attacker-controlled fields. With `upcall_target=app`, the helper enters the attacker's mount namespace and performs a `getpwuid()` lookup before dropping privileges โ loading an attacker-controlled NSS module and executing arbitrary code as root.
**Prerequisites for exploitation:**
- A vulnerable kernel (present since 2007, fixed in 6.18.22 / 6.19.12 / 7.0+)
- `cifs-utils` >= 6.14 installed
- Unprivileged user namespaces enabled (default on most distros)
- No enforcing SELinux/AppArmor policy blocking the path
A public PoC is available at [manizada/CIFSwitch](https://github.com/manizada/CIFSwitch).
---
## What it checks
| Check | Description |
|---|---|
| `KERNEL_VERSION` | Compares running kernel against patched upstream versions (note: distro packages still rolling out) |
| `CIFS_UTILS` | Detects `cifs-utils` installation and exploitable version (>= 6.14) |
| `CIFS_MODULE` | Checks if the CIFS kernel module is loaded, built-in, or blacklisted |
| `USERNS` | Reads `kernel.unprivileged_userns_clone` or `user.max_user_namespaces` sysctl |
| `REQUESTKEY_RULE` | Checks for an active `cifs.spnego` rule calling `cifs.upcall` |
| `MAC_POLICY` | Detects enforcing SELinux or AppArmor (blocks exploit on patched distros) |
| `CONTAINER_CAPS` | In containers: checks for `CAP_SYS_ADMIN` (enables unrestricted userns) |
| `CONTAINER_PROC` | In containers: checks for write access to `/proc/sys` (privileged container) |
| `FIX_SYMBOL` | If CIFS is loaded and `/proc/kallsyms` is readable: verifies the fix commit symbol is present |
---
## Usage
```bash
# Clone or download
curl -O https://raw.githubusercontent.com/YOUR_USERNAME/cifswitch-check/main/cifswitch-check.sh
chmod +x cifswitch-check.sh
# Run interactively (coloured output)
./cifswitch-check.sh
# Quiet mode โ only FAILs and final verdict
./cifswitch-check.sh --quiet
# JSON output โ for CI/CD pipelines, SIEM ingestion
./cifswitch-check.sh --ci
# No colour (plain text, useful for logging)
./cifswitch-check.sh --no-colour
```
### Exit codes
| Code | Meaning |
|---|---|
| `0` | Not vulnerable, or all critical mitigations in place |
| `1` | Vulnerable โ one or more FAIL checks |
| `2` | Script error |
---
## Example output
### Interactive (human-readable)
```
CIFSwitch Vulnerability Check (CVE-2026-46243)
Kernel: 6.18.5 Host: myserver Container: false
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[FAIL] KERNEL_VERSION Kernel 6.18.5 appears unpatched. Fixed in: >= 6.18.22, >= 6.19.12, >= 7.0. Update your kernel.
[PASS] CIFS_UTILS cifs-utils NOT installed โ cifs.upcall helper absent, attack chain is broken
[PASS] CIFS_MODULE CIFS kernel module not present on this system
[FAIL] USERNS user.max_user_namespaces = 15980 (non-zero). Disable to block namespace step:
[PASS] REQUESTKEY_RULE No cifs.spnego request-key rule found โ rootful cifs.upcall will not be invoked
[WARN] MAC_POLICY No enforcing MAC policy (SELinux/AppArmor) detected
[ -- ] FIX_SYMBOL CIFS module not loaded โ symbol check skipped
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
VERDICT: VULNERABLE โ remediation required
Reference: https://heyitsas.im/posts/cifswitch/
```
### JSON (`--ci`)
```json
{
"scanner": "cifswitch-check",
"cve": "CVE-2026-46243",
"timestamp": "2026-06-03T00:10:08Z",
"hostname": "myserver",
"kernel": "6.18.5",
"in_container": false,
"overall": "FAIL",
"checks": [
{"check": "KERNEL_VERSION", "status": "FAIL", "detail": "Kernel 6.18.5 appears unpatched. Fixed in: >= 6.18.22, >= 6.19.12, >= 7.0. Update your kernel."},
{"check": "CIFS_UTILS", "status": "PASS", "detail": "cifs-utils NOT installed โ cifs.upcall helper absent, attack chain is broken"},
{"check": "CIFS_MODULE", "status": "PASS", "detail": "CIFS kernel module not present on this system"},
{"check": "USERNS", "status": "FAIL", "detail": "user.max_user_namespaces = 15980 (non-zero). Disable to block namespace step:"},
{"check": "REQUESTKEY_RULE","status": "PASS", "detail": "No cifs.spnego request-key rule found โ rootful cifs.upcall will not be invoked"},
{"check": "MAC_POLICY", "status": "WARN", "detail": "No enforcing MAC policy (SELinux/AppArmor) detected"},
{"check": "FIX_SYMBOL", "status": "INFO", "detail": "CIFS module not loaded โ symbol check skipped"}
]
}
```
---
## CI/CD integration
### GitHub Actions
```yaml
- name: CIFSwitch vulnerability check
run: |
chmod +x ./cifswitch-check.sh
./cifswitch-check.sh --ci | tee cifswitch-result.json
# Exit code 1 will fail the step if the runner is vulnerable
```
### GitLab CI
```yaml
cifswitch-check:
stage: security
script:
- chmod +x cifswitch-check.sh
- ./cifswitch-check.sh --ci > cifswitch-result.json
artifacts:
paths:
- cifswitch-result.json
```
### Jenkins
```groovy
stage('CIFSwitch Check') {
steps {
sh 'chmod +x cifswitch-check.sh && ./cifswitch-check.sh --ci > cifswitch-result.json'
archiveArtifacts artifacts: 'cifswitch-result.json'
}
}
```
---
## Mitigations (if patching is not immediately possible)
**1. Patch your kernel** (when your distro package is available)
The upstream fix is commit [`3da1fdf4efbc`](https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2), queued for stable in kernels >= 6.18.22, >= 6.19.12, and >= 7.0. Distro backports are actively rolling out โ check your vendor's security advisory for CVE-2026-46243. Until a package is available, apply the mitigations below.
**2. Remove cifs-utils** (breaks the attack chain entirely if you don't use CIFS/SMB mounts)
```bash
apt remove cifs-utils # Debian / Ubuntu
dnf remove cifs-utils # RHEL / Fedora / AlmaLinux
```
**2. Disable unprivileged user namespaces** (blocks the namespace pivot step)
```bash
# Debian / Ubuntu
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-cifswitch.conf
# RHEL / Fedora / upstream
sysctl -w user.max_user_namespaces=0
```
> โ ๏ธ This may break Flatpak, rootless Podman/Docker, and Chrome/Chromium sandboxing.
**3. Disable the cifs.spnego request-key rule**
```bash
sed -i 's|^create cifs.spnego|#create cifs.spnego|' /etc/request-key.d/cifs.spnego.conf
```
**4. Blacklist the CIFS kernel module** (if SMB network mounts are not in use)
```bash
echo 'blacklist cifs' >> /etc/modprobe.d/blacklist-cifs.conf
rmmod cifs 2>/dev/null || true
depmod -a
```
---
## Affected distributions
Exploitability requires `cifs-utils` >= 6.14 installed and unprivileged user namespaces enabled. Distributions **confirmed vulnerable** in default configuration include AlmaLinux 8/9, RHEL 8/9, CloudLinux 8/9/10, and several Ubuntu/Debian releases with `cifs-utils` present.
Distributions where default SELinux/AppArmor **prevents exploitation**: Ubuntu 26.04, Fedora 40โ44, CentOS Stream 10, Rocky Linux 10, AlmaLinux 10, SLES 16, openSUSE Leap 16.
Not affected: Amazon Linux 2, Kali Linux 2019.4/2020.4 (cifs-utils versions lack namespace-switch).
For RHEL/CentOS/Amazon distro kernels the script defers to the vendor advisory, as backport status cannot be reliably determined from the version string alone.
---
## Requirements
- `bash` >= 4.0
- Standard coreutils (`awk`, `grep`, `cut`, `find`, `sort`)
- No root required for most checks; root (or `CAP_SYSLOG`) needed for the kernel symbol check (`FIX_SYMBOL`)
---
## References
- [Original researcher writeup โ Asim Manizada](https://heyitsas.im/posts/cifswitch/)
- [SecurityWeek coverage](https://www.securityweek.com/19-year-old-linux-kernel-vulnerability-exposes-systems-to-root-access/)
- [BleepingComputer coverage](https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/)
- [CloudLinux advisory and mitigation guide](https://blog.cloudlinux.com/cifswitch-mitigation-and-kernel-update)
- [AlmaLinux advisory](https://almalinux.org/blog/2026-05-28-cifswitch/)
- [Upstream fix commit โ 3da1fdf4efbc](https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2)
- [NVD โ CVE-2026-46243](https://nvd.nist.gov/vuln/detail/CVE-2026-46243)
---
## Disclaimer
This script is provided for defensive purposes โ to help administrators assess and remediate exposure. It performs read-only checks and makes no changes to the system. The PoC exploit is not included or linked here; refer to the original researcher's advisory for that.