Linux CIFSwitch — 18-year-old kernel LPE, PoC public, found by AI semantic graph analysis
TL;DR
Linux kernel CIFSwitch — an 18-year-old local privilege escalation, found via AI-assisted semantic graph analysis. PoC public. Major distros vulnerable, patch and isolate now.
The vulnerability sits in a verification gap between Linux kernel's CIFS subsystem and the userspace
Attack path: set
Confirmed affected distros: Ubuntu 18.04/20.04/22.04 LTS, Debian 11/12/13, Pop!_OS 22.04/24.04, openSUSE Leap 15.6, Rocky Linux 8, Oracle Linux 8/9, Amazon Linux 2023 (SELinux permissive). Also Linux Mint 21.3/22.3, Kali 2021.4–2026.1, Rocky 9, AlmaLinux 9.7, CentOS Stream 9, and multiple SUSE Enterprise versions.
Why it surfaced now. Researcher Asim Manizada used AI-assisted multi-hop reasoning — building a semantic graph of security-relevant objects and chaining subtle logic flaws — found what 18 years of manual code audit missed.
This is the fourth Linux kernel LPE requiring immediate action in recent weeks, after Copy Fail (4/29), Dirty Frag (5/7), and Fragnesia (5/13).
Action: upstream kernel patch available; if you don't use CIFS, disable it. For orgs with 30–90 day patch approval cycles, that window is now a known-exploitable root LPE.
via BleepingComputer
cifs-utils helper. A low-privileged local user can run a single command to escalate to root. Hidden since 2007.Attack path: set
upcall_target=app and feed a malicious PID; cifs.upcall switches to the attacker-controlled process namespace before performing NSS account lookup and dropping privileges — privilege escalation complete. No initial root access needed.Confirmed affected distros: Ubuntu 18.04/20.04/22.04 LTS, Debian 11/12/13, Pop!_OS 22.04/24.04, openSUSE Leap 15.6, Rocky Linux 8, Oracle Linux 8/9, Amazon Linux 2023 (SELinux permissive). Also Linux Mint 21.3/22.3, Kali 2021.4–2026.1, Rocky 9, AlmaLinux 9.7, CentOS Stream 9, and multiple SUSE Enterprise versions.
Why it surfaced now. Researcher Asim Manizada used AI-assisted multi-hop reasoning — building a semantic graph of security-relevant objects and chaining subtle logic flaws — found what 18 years of manual code audit missed.
This is the fourth Linux kernel LPE requiring immediate action in recent weeks, after Copy Fail (4/29), Dirty Frag (5/7), and Fragnesia (5/13).
Action: upstream kernel patch available; if you don't use CIFS, disable it. For orgs with 30–90 day patch approval cycles, that window is now a known-exploitable root LPE.
via BleepingComputer
