AI description
CVE-2026-46243, dubbed "CIFSwitch," is a local privilege escalation vulnerability found in the Linux kernel's Common Internet File System (CIFS) client implementation. The flaw allows an unprivileged local user to forge `cifs.spnego` key descriptions. These descriptions, which typically contain authority-bearing fields like `pid`, `uid`, and `creduid`, are usually treated by the `cifs.upcall` helper as originating from the kernel. However, userspace can also create keys of this type, enabling an attacker to supply these fields without CIFS origin. The vulnerability arises because the kernel's CIFS subsystem fails to verify that `cifs.spnego` key requests originate from the kernel's CIFS client. This allows an unprivileged user to create a forged `cifs.spnego` request, triggering the normal authentication workflow and causing the root-privileged `cifs.upcall` helper to trust attacker-controlled data.
- Description
- In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-20
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
2