Linux Kernel Vulnerability Hands Local Users Full Root
A serious Linux kernel vulnerability is making the rounds this month, and it has a name: CIFSwitch. It carries the identifier CVE-2026-46243. On affected systems, an ordinary user can become root with a single command. No password. No second step.
The flaw was disclosed on May 28, 2026 by security researcher Asim Manizada, who posted full details and a working proof-of-concept to the oss-security mailing list. The CVE was assigned on June 1. Patched kernels reached production repositories on June 2.
There is a second piece of news worth knowing. In early June, the U.S. Cybersecurity and Infrastructure Security Agency added a separate Linux kernel vulnerability to its Known Exploited Vulnerabilities list and gave federal agencies until June 5 to fix it. So this is a busy stretch for anyone running Linux.
What this Linux kernel vulnerability actually does
CIFSwitch lives in the Linux kernel’s CIFS client, the part that lets Linux mount and read Windows-style network file shares. The bug sits in the SPNEGO authentication path. In short, the kernel fails to properly check a key description before it acts on it. The root cause is missing validation in the cifs.spnego key type, according to a security alert published by CUHK’s IT services team.
Here is the part that makes people nervous. This Linux kernel vulnerability has been in the code since 2007. That is 19 years. It sat there, unnoticed, until someone took a close look at how the kernel trusts these authentication requests.
An unprivileged user can forge a key request and trick the kernel into running a helper program as root. From there, the attacker controls what that program loads and runs. The result is a root shell.
This is a local flaw, not a remote one. An attacker needs a way to run code on the machine first. That foothold can come from many directions: a stolen developer login, a compromised web process, a malicious build job, or a container with too much access. We have seen how quickly one weak point spreads. A hacked coding tool recently reached thousands of GitHub repositories before anyone caught it.
Not the first Linux kernel vulnerability of 2026
CIFSwitch is the fifth Linux kernel vulnerability of its kind reported this year. The list now includes Copy Fail (CVE-2026-31431) on April 29 with a CVSS score of 7.8, Dirty Frag (CVE-2026-43284) on May 7, Fragnesia (CVE-2026-46300) on May 13, ssh-keysign-pwn (CVE-2026-46333) on May 21, and now CIFSwitch on May 28.
So why so many at once? It is not that the kernel suddenly got worse. The Linux kernel team became an official CVE Numbering Authority in 2024. Since then, it has started assigning CVE numbers to old, undocumented bugs. Researchers are also digging through code paths that no one had reviewed in years. CIFSwitch is a good example. The flaw dates to 2007 and went unexamined for nearly two decades.
For administrators, the routine is familiar. Apply the quick mitigation now, then schedule the kernel update and reboot. It is the same steady patch work IT teams handled during Microsoft’s May patch cycle.
CISA flags a separate Linux kernel vulnerability
The CISA warning is about a different bug, CVE-2022-0492. It is an improper authentication flaw tied to the cgroups v1 release_agent feature. Cgroups handle resource limits and isolation, and they are everywhere in containers and cloud setups.
A local attacker can abuse the release_agent function to run commands with elevated privileges. In a container, that can mean breaking out and taking over the host. CISA placed this Linux kernel vulnerability in the Known Exploited Vulnerabilities catalog, which signals credible evidence that attackers are using it. Federal agencies had until June 5 to patch under Binding Operational Directive 22-01. Private organizations are not bound by that deadline, but the message is the same: do not wait.
CISA has raised this kind of alarm before, including for five zero-days under active attack flagged last month.
Who needs to pay attention
CIFSwitch does not hit every machine. Three conditions have to line up at the same time. The system needs cifs-utils installed (version 6.14 and higher is the main concern). It needs unprivileged user namespaces turned on. And it needs the CIFS kernel module loaded. On several popular distributions, those three sit there by default.
The list of affected distributions is broad. Red Hat, Ubuntu, Debian, SUSE, Oracle Linux, and Amazon Linux can all be exposed to this Linux kernel vulnerability, depending on how they are set up. Red Hat rates the issue as Important and notes that products built on its enterprise kernel, including OpenShift, may also be affected, per its vulnerability advisory.
The bigger risk is patch speed. The Verizon 2026 Data Breach Investigations Report found that organizations take a median of 43 days to fix critical bugs. With a public exploit available, that window is plenty of time for an attacker who already has local access. The same lesson showed up when an insider attack cost Coinbase about $400 million: once someone has access, damage moves fast.
What to do now
Start by checking exposure. See whether cifs-utils is installed, whether the CIFS module is loaded, and whether unprivileged user namespaces are enabled. If you do not mount Windows or SMB shares, you likely do not need CIFS at all.
My advice is simple: break one of those three conditions today. Remove the cifs-utils package, blacklist the CIFS kernel module, or disable the cifs.spnego request-key rule. Breaking any single condition stops the attack chain. Turning off unprivileged user namespaces also helps, and it limits other kernel flaws too.
Then do the real fix. Patching the kernel is the only lasting fix for this Linux kernel vulnerability. Apply the patched kernel from your distribution. The upstream fix is already merged, and vendor updates have been rolling out since June 2. Reboot when your maintenance window allows.
For the CISA-listed cgroups flaw, the steps rhyme: update to a patched kernel, restrict access to cgroup settings, and turn off unprivileged user namespaces where you can. Watch container environments for odd activity around cgroup changes.
We will keep tracking these privilege-escalation flaws and breach reports as patches and details land.
The short version
A 19-year-old Linux kernel vulnerability, CIFSwitch, now lets a local user grab root in one command, and a working exploit is public. CISA has flagged a separate kernel flaw as actively exploited. Patches exist for both. Check your systems, apply the quick mitigation today, and schedule the kernel update. Linux runs much of the internet’s plumbing, so a few hours of patch work now can save a lot of cleanup later.
FAQs
What is the CIFSwitch Linux kernel vulnerability?
CIFSwitch is a local privilege escalation bug tracked as CVE-2026-46243. It lets an unprivileged user on an affected machine run code as root by abusing the CIFS client’s SPNEGO authentication path.
Is my system exposed to this Linux kernel vulnerability?
You are at risk only if three things are true at once: cifs-utils is installed, the CIFS kernel module is loaded, and unprivileged user namespaces are enabled. Remove or disable any one of them to break the chain, then apply the patched kernel.
Has the flaw been patched?
Yes. The upstream kernel fix is merged, and vendor updates for major distributions have been rolling out since June 2, 2026. Install the update and reboot during your next maintenance window.
