Share
## https://sploitus.com/exploit?id=4844D9DA-C29D-5877-9267-D476E4320671
# cifswitch-check

A shell script to check whether a Linux system is exposed to **CIFSwitch (CVE-2026-46243)** โ€” a local privilege escalation vulnerability in the Linux kernel's CIFS/SMB client that has been present since 2007.

Runs on bare-metal hosts, VMs, and inside containers. Designed to drop straight into CI/CD pipelines.

---

## Background

CIFSwitch was disclosed on 28 May 2026 by security researcher [Asim Manizada](https://heyitsas.im/posts/cifswitch/). The flaw chains a missing input validation in the kernel's `cifs.spnego` key type with the rootful `cifs.upcall` helper from `cifs-utils`.

An unprivileged local user can call `request_key()` with a forged key description, causing the kernel to invoke `cifs.upcall` as root with attacker-controlled fields. With `upcall_target=app`, the helper enters the attacker's mount namespace and performs a `getpwuid()` lookup before dropping privileges โ€” loading an attacker-controlled NSS module and executing arbitrary code as root.

**Prerequisites for exploitation:**
- A vulnerable kernel (present since 2007, fixed in 6.18.22 / 6.19.12 / 7.0+)
- `cifs-utils` >= 6.14 installed
- Unprivileged user namespaces enabled (default on most distros)
- No enforcing SELinux/AppArmor policy blocking the path

A public PoC is available at [manizada/CIFSwitch](https://github.com/manizada/CIFSwitch).

---

## What it checks

| Check | Description |
|---|---|
| `KERNEL_VERSION` | Compares running kernel against patched upstream versions (note: distro packages still rolling out) |
| `CIFS_UTILS` | Detects `cifs-utils` installation and exploitable version (>= 6.14) |
| `CIFS_MODULE` | Checks if the CIFS kernel module is loaded, built-in, or blacklisted |
| `USERNS` | Reads `kernel.unprivileged_userns_clone` or `user.max_user_namespaces` sysctl |
| `REQUESTKEY_RULE` | Checks for an active `cifs.spnego` rule calling `cifs.upcall` |
| `MAC_POLICY` | Detects enforcing SELinux or AppArmor (blocks exploit on patched distros) |
| `CONTAINER_CAPS` | In containers: checks for `CAP_SYS_ADMIN` (enables unrestricted userns) |
| `CONTAINER_PROC` | In containers: checks for write access to `/proc/sys` (privileged container) |
| `FIX_SYMBOL` | If CIFS is loaded and `/proc/kallsyms` is readable: verifies the fix commit symbol is present |

---

## Usage

```bash
# Clone or download
curl -O https://raw.githubusercontent.com/YOUR_USERNAME/cifswitch-check/main/cifswitch-check.sh
chmod +x cifswitch-check.sh

# Run interactively (coloured output)
./cifswitch-check.sh

# Quiet mode โ€” only FAILs and final verdict
./cifswitch-check.sh --quiet

# JSON output โ€” for CI/CD pipelines, SIEM ingestion
./cifswitch-check.sh --ci

# No colour (plain text, useful for logging)
./cifswitch-check.sh --no-colour
```

### Exit codes

| Code | Meaning |
|---|---|
| `0` | Not vulnerable, or all critical mitigations in place |
| `1` | Vulnerable โ€” one or more FAIL checks |
| `2` | Script error |

---

## Example output

### Interactive (human-readable)

```
  CIFSwitch Vulnerability Check  (CVE-2026-46243)
  Kernel: 6.18.5   Host: myserver   Container: false
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
[FAIL] KERNEL_VERSION         Kernel 6.18.5 appears unpatched. Fixed in: >= 6.18.22, >= 6.19.12, >= 7.0. Update your kernel.
[PASS] CIFS_UTILS             cifs-utils NOT installed โ€” cifs.upcall helper absent, attack chain is broken
[PASS] CIFS_MODULE            CIFS kernel module not present on this system
[FAIL] USERNS                 user.max_user_namespaces = 15980 (non-zero). Disable to block namespace step:
[PASS] REQUESTKEY_RULE        No cifs.spnego request-key rule found โ€” rootful cifs.upcall will not be invoked
[WARN] MAC_POLICY             No enforcing MAC policy (SELinux/AppArmor) detected
[ -- ] FIX_SYMBOL             CIFS module not loaded โ€” symbol check skipped
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

  VERDICT: VULNERABLE โ€” remediation required
  Reference: https://heyitsas.im/posts/cifswitch/
```

### JSON (`--ci`)

```json
{
  "scanner": "cifswitch-check",
  "cve": "CVE-2026-46243",
  "timestamp": "2026-06-03T00:10:08Z",
  "hostname": "myserver",
  "kernel": "6.18.5",
  "in_container": false,
  "overall": "FAIL",
  "checks": [
    {"check": "KERNEL_VERSION", "status": "FAIL", "detail": "Kernel 6.18.5 appears unpatched. Fixed in: >= 6.18.22, >= 6.19.12, >= 7.0. Update your kernel."},
    {"check": "CIFS_UTILS",     "status": "PASS", "detail": "cifs-utils NOT installed โ€” cifs.upcall helper absent, attack chain is broken"},
    {"check": "CIFS_MODULE",    "status": "PASS", "detail": "CIFS kernel module not present on this system"},
    {"check": "USERNS",         "status": "FAIL", "detail": "user.max_user_namespaces = 15980 (non-zero). Disable to block namespace step:"},
    {"check": "REQUESTKEY_RULE","status": "PASS", "detail": "No cifs.spnego request-key rule found โ€” rootful cifs.upcall will not be invoked"},
    {"check": "MAC_POLICY",     "status": "WARN", "detail": "No enforcing MAC policy (SELinux/AppArmor) detected"},
    {"check": "FIX_SYMBOL",     "status": "INFO", "detail": "CIFS module not loaded โ€” symbol check skipped"}
  ]
}
```

---

## CI/CD integration

### GitHub Actions

```yaml
- name: CIFSwitch vulnerability check
  run: |
    chmod +x ./cifswitch-check.sh
    ./cifswitch-check.sh --ci | tee cifswitch-result.json
  # Exit code 1 will fail the step if the runner is vulnerable
```

### GitLab CI

```yaml
cifswitch-check:
  stage: security
  script:
    - chmod +x cifswitch-check.sh
    - ./cifswitch-check.sh --ci > cifswitch-result.json
  artifacts:
    paths:
      - cifswitch-result.json
```

### Jenkins

```groovy
stage('CIFSwitch Check') {
    steps {
        sh 'chmod +x cifswitch-check.sh && ./cifswitch-check.sh --ci > cifswitch-result.json'
        archiveArtifacts artifacts: 'cifswitch-result.json'
    }
}
```

---

## Mitigations (if patching is not immediately possible)

**1. Patch your kernel** (when your distro package is available)

The upstream fix is commit [`3da1fdf4efbc`](https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2), queued for stable in kernels >= 6.18.22, >= 6.19.12, and >= 7.0. Distro backports are actively rolling out โ€” check your vendor's security advisory for CVE-2026-46243. Until a package is available, apply the mitigations below.

**2. Remove cifs-utils** (breaks the attack chain entirely if you don't use CIFS/SMB mounts)
```bash
apt remove cifs-utils       # Debian / Ubuntu
dnf remove cifs-utils       # RHEL / Fedora / AlmaLinux
```

**2. Disable unprivileged user namespaces** (blocks the namespace pivot step)
```bash
# Debian / Ubuntu
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-cifswitch.conf

# RHEL / Fedora / upstream
sysctl -w user.max_user_namespaces=0
```
> โš ๏ธ This may break Flatpak, rootless Podman/Docker, and Chrome/Chromium sandboxing.

**3. Disable the cifs.spnego request-key rule**
```bash
sed -i 's|^create cifs.spnego|#create cifs.spnego|' /etc/request-key.d/cifs.spnego.conf
```

**4. Blacklist the CIFS kernel module** (if SMB network mounts are not in use)
```bash
echo 'blacklist cifs' >> /etc/modprobe.d/blacklist-cifs.conf
rmmod cifs 2>/dev/null || true
depmod -a
```

---

## Affected distributions

Exploitability requires `cifs-utils` >= 6.14 installed and unprivileged user namespaces enabled. Distributions **confirmed vulnerable** in default configuration include AlmaLinux 8/9, RHEL 8/9, CloudLinux 8/9/10, and several Ubuntu/Debian releases with `cifs-utils` present.

Distributions where default SELinux/AppArmor **prevents exploitation**: Ubuntu 26.04, Fedora 40โ€“44, CentOS Stream 10, Rocky Linux 10, AlmaLinux 10, SLES 16, openSUSE Leap 16.

Not affected: Amazon Linux 2, Kali Linux 2019.4/2020.4 (cifs-utils versions lack namespace-switch).

For RHEL/CentOS/Amazon distro kernels the script defers to the vendor advisory, as backport status cannot be reliably determined from the version string alone.

---

## Requirements

- `bash` >= 4.0
- Standard coreutils (`awk`, `grep`, `cut`, `find`, `sort`)
- No root required for most checks; root (or `CAP_SYSLOG`) needed for the kernel symbol check (`FIX_SYMBOL`)

---

## References

- [Original researcher writeup โ€” Asim Manizada](https://heyitsas.im/posts/cifswitch/)
- [SecurityWeek coverage](https://www.securityweek.com/19-year-old-linux-kernel-vulnerability-exposes-systems-to-root-access/)
- [BleepingComputer coverage](https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/)
- [CloudLinux advisory and mitigation guide](https://blog.cloudlinux.com/cifswitch-mitigation-and-kernel-update)
- [AlmaLinux advisory](https://almalinux.org/blog/2026-05-28-cifswitch/)
- [Upstream fix commit โ€” 3da1fdf4efbc](https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2)
- [NVD โ€” CVE-2026-46243](https://nvd.nist.gov/vuln/detail/CVE-2026-46243)

---

## Disclaimer

This script is provided for defensive purposes โ€” to help administrators assess and remediate exposure. It performs read-only checks and makes no changes to the system. The PoC exploit is not included or linked here; refer to the original researcher's advisory for that.