CIFSwitch, a Linux Root Bug Hidden in Plain Sight for 19 Years

CIFSwitch is a 19-year-old Linux logic vulnerability in the CIFS client and cifs-utils helper that lets an attacker fabricate a cifs.spnego key and cause the root-run cifs.upcall to load attacker-controlled NSS libraries before dropping privileges, enabling local root. A public PoC exists, a kernel patch has been landed upstream, and exploitation depends on a vulnerable kernel, cifs-utils, and permissive user namespaces or MAC policies; removal of cifs-utils or blacklisting CIFS mitigates exposure.