CIFSwitch CVE-2026-46243: 19-Year Linux Kernel Bug Gives Any Local User Root

A 19-year-old Linux kernel bug went public on May 28, 2026. Researcher Asim Manizada named it CIFSwitch and published a working proof-of-concept exploit on GitHub the same day. CVE-2026-46243 was assigned on June 1. Patched kernels reached production repositories on June 2. Any unprivileged local user on an affected system can get a root shell in a single command. This is the fifth Linux kernel local privilege escalation in 2026, following Copy Fail, Dirty Frag, Fragnesia, and ssh-keysign-pwn. Patched kernels are available now. Check your exposure and update today.

What Is the CIFSwitch Linux Vulnerability?

The bug lives in fs/smb/client/cifs_spnego.c, which handles SPNEGO-based Kerberos authentication for the Linux kernel CIFS client. The file registers the cifs.spnego key type without validating that key creation requests actually come from the kernel’s own CIFS subsystem.

Because of that missing check, an unprivileged user can forge a cifs.spnego key description via the request_key(2) syscall, supplying crafted values for the pid, uid, creduid, and upcall_target fields. The kernel then passes those attacker-controlled values to cifs.upcall, a privileged Kerberos helper that trusts them as kernel-originating input.

The attacker then uses user namespace and mount namespace manipulation to force cifs.upcall to load a malicious NSS shared library. That library runs as root. According to Manizada’s full writeup, exploitation requires three conditions: cifs-utils installed with the default cifs.spnego request-key rule, unprivileged user namespaces enabled, and no SELinux or AppArmor policy blocking the path. Not every system qualifies. On those that do, exploitation is reliable and needs only a single command.

Check Your Exposure in 30 Seconds

Run these checks on every Linux server you manage:

# Check 1: Is cifs-utils installed?
rpm -q cifs-utils         # RHEL / AlmaLinux / Rocky / Oracle
dpkg -l cifs-utils        # Ubuntu / Debian

# Not installed = NOT exposed via the public PoC

# Check 2: Are unprivileged user namespaces enabled?
sysctl user.max_user_namespaces
cat /proc/sys/user/max_user_namespaces
# Value > 0 means user namespaces allowed

# Check 3: Is the cifs.spnego request-key rule active?
grep -r "cifs.spnego" /etc/request-key.conf /etc/request-key.d/ 2>/dev/null
# Rule present means full attack chain is reachable

If all three conditions are true on a server, treat it as urgent. The Red Hat RHSB-2026-005 security bulletin notes that environments without CIFS functionality should still apply the kernel patch to close the underlying flaw. The check above tells you how quickly you need to act.

Apply an Immediate Mitigation (No Reboot Required)

Before a reboot window, break the attack chain with one of these options:

Option 1: Block the cifs kernel module

# Only if you do not mount CIFS/SMB shares
echo "install cifs /bin/false" > /etc/modprobe.d/disable-cifs.conf
rmmod cifs 2>/dev/null; lsmod | grep cifs

Option 2: Override the cifs.spnego request-key rule

# Breaks Kerberos CIFS auth but keeps normal SMB mounts working
cat > /etc/request-key.d/cifs.spnego.conf << 'EOF'
create cifs.spnego * * /usr/sbin/keyctl negate %k 30 %S
EOF
cat /etc/request-key.d/cifs.spnego.conf

Option 3: Remove cifs-utils

# RHEL / AlmaLinux / Rocky
dnf remove cifs-utils -y

# Ubuntu / Debian
apt remove cifs-utils -y

Option 2 is the least disruptive for systems that mount CIFS shares without Kerberos. Option 3 is cleanest if you do not use SMB client functionality at all.

Install the Patched Kernel

Patched kernels are in production as of June 2, 2026. Update and reboot:

RHEL / AlmaLinux / Rocky / Oracle Linux

dnf clean metadata && dnf upgrade kernel -y
reboot
uname -r

Ubuntu / Debian

apt update && apt upgrade linux-image-generic -y
reboot
uname -r

CloudLinux / cPanel servers (live patch, no reboot)

kcarectl --update
kcarectl --patch-info | grep CVE-2026-46243

Fedora

dnf upgrade --refresh -y && reboot

After rebooting, remove the temporary mitigations if you applied them:

# Remove cifs module block
rm /etc/modprobe.d/disable-cifs.conf

# Reinstall cifs-utils if removed
dnf install cifs-utils -y   # RHEL / AlmaLinux
apt install cifs-utils -y   # Ubuntu / Debian

Five Linux Kernel LPEs in Five Weeks

Copy Fail (CVE-2026-31431) on April 29. Dirty Frag (CVE-2026-43284) on May 7. Fragnesia (CVE-2026-46300) on May 13. ssh-keysign-pwn (CVE-2026-46333) on May 21. Now the CIFSwitch Linux vulnerability (CVE-2026-46243) on May 28. Five kernel privilege escalations in five weeks.

The pace reflects a structural change in how vulnerabilities are tracked rather than a sudden collapse in kernel quality. The kernel team became a CVE Numbering Authority in 2024 and began assigning CVEs to previously undocumented bugs. Security researchers are also finding old code paths that have never been formally reviewed. The CIFSwitch flaw dates to 2007. It sat in the kernel for 19 years before anyone looked closely at the SPNEGO upcall trust model.

For sysadmins managing Linux fleets in 2026, the response pattern is the same each time: apply the no-reboot mitigation immediately, then schedule a kernel update and reboot. Our guide on patching CVE-2026-46333 ssh-keysign-pwn covers the same mitigation-then-patch pattern for the previous kernel LPE. The Linux server hardening checklist covers SELinux enforcement and unprivileged namespace restrictions that reduce exposure to this whole class of vulnerability.

Conclusion

The CIFSwitch Linux vulnerability CVE-2026-46243 has a public PoC and patched kernels in production now. Check whether cifs-utils is installed and user namespaces are enabled. Apply the request-key override for immediate protection before a reboot window. Then update the kernel and reboot. The upstream fix adds one validation check that should have been in the code since 2007. The patch is straightforward. Apply it today.