A shell script to check whether a Linux system is exposed to CIFSwitch (CVE-2026-46243) — a local privilege escalation vulnerability in the Linux kernel's CIFS/SMB client that has been present since 2007.
Runs on bare-metal hosts, VMs, and inside containers. Designed to drop straight into CI/CD pipelines.
CIFSwitch was disclosed on 28 May 2026 by security researcher Asim Manizada. The flaw chains a missing input validation in the kernel's cifs.spnego key type with the rootful cifs.upcall helper from cifs-utils.
An unprivileged local user can call request_key() with a forged key description, causing the kernel to invoke cifs.upcall as root with attacker-controlled fields. With upcall_target=app, the helper enters the attacker's mount namespace and performs a getpwuid() lookup before dropping privileges — loading an attacker-controlled NSS module and executing arbitrary code as root.
Prerequisites for exploitation:
- A vulnerable kernel (present since 2007, fixed in 6.18.22 / 6.19.12 / 7.0+)
cifs-utils>= 6.14 installed- Unprivileged user namespaces enabled (default on most distros)
- No enforcing SELinux/AppArmor policy blocking the path
A public PoC is available at manizada/CIFSwitch.
| Check | Description |
|---|---|
KERNEL_VERSION |
Compares running kernel against patched upstream versions (note: distro packages still rolling out) |
CIFS_UTILS |
Detects cifs-utils installation and exploitable version (>= 6.14) |
CIFS_MODULE |
Checks if the CIFS kernel module is loaded, built-in, or blacklisted |
USERNS |
Reads kernel.unprivileged_userns_clone or user.max_user_namespaces sysctl |
REQUESTKEY_RULE |
Checks for an active cifs.spnego rule calling cifs.upcall |
MAC_POLICY |
Detects enforcing SELinux or AppArmor (blocks exploit on patched distros) |
CONTAINER_CAPS |
In containers: checks for CAP_SYS_ADMIN (enables unrestricted userns) |
CONTAINER_PROC |
In containers: checks for write access to /proc/sys (privileged container) |
FIX_SYMBOL |
If CIFS is loaded and /proc/kallsyms is readable: verifies the fix commit symbol is present |
# Clone or download
curl -O https://raw.githubusercontent.com/liamromanis101/cifswitch-check/main/cifswitch-check.sh
chmod +x cifswitch-check.sh
# Run interactively (coloured output)
./cifswitch-check.sh
# Quiet mode — only FAILs and final verdict
./cifswitch-check.sh --quiet
# JSON output — for CI/CD pipelines, SIEM ingestion
./cifswitch-check.sh --ci
# No colour (plain text, useful for logging)
./cifswitch-check.sh --no-colour
# This script is also available as a SKILL from Agensi:
https://www.agensi.io/skills/cve-2026-46243-cifswitch| Code | Meaning |
|---|---|
0 |
Not vulnerable, or all critical mitigations in place |
1 |
Vulnerable — one or more FAIL checks |
2 |
Script error |
CIFSwitch Vulnerability Check (CVE-2026-46243)
Kernel: 6.18.5 Host: myserver Container: false
────────────────────────────────────────────────────────────────────────
[FAIL] KERNEL_VERSION Kernel 6.18.5 appears unpatched. Fixed in: >= 6.18.22, >= 6.19.12, >= 7.0. Update your kernel.
[PASS] CIFS_UTILS cifs-utils NOT installed — cifs.upcall helper absent, attack chain is broken
[PASS] CIFS_MODULE CIFS kernel module not present on this system
[FAIL] USERNS user.max_user_namespaces = 15980 (non-zero). Disable to block namespace step:
[PASS] REQUESTKEY_RULE No cifs.spnego request-key rule found — rootful cifs.upcall will not be invoked
[WARN] MAC_POLICY No enforcing MAC policy (SELinux/AppArmor) detected
[ -- ] FIX_SYMBOL CIFS module not loaded — symbol check skipped
────────────────────────────────────────────────────────────────────────
VERDICT: VULNERABLE — remediation required
Reference: https://heyitsas.im/posts/cifswitch/
{
"scanner": "cifswitch-check",
"cve": "CVE-2026-46243",
"timestamp": "2026-06-03T00:10:08Z",
"hostname": "myserver",
"kernel": "6.18.5",
"in_container": false,
"overall": "FAIL",
"checks": [
{"check": "KERNEL_VERSION", "status": "FAIL", "detail": "Kernel 6.18.5 appears unpatched. Fixed in: >= 6.18.22, >= 6.19.12, >= 7.0. Update your kernel."},
{"check": "CIFS_UTILS", "status": "PASS", "detail": "cifs-utils NOT installed — cifs.upcall helper absent, attack chain is broken"},
{"check": "CIFS_MODULE", "status": "PASS", "detail": "CIFS kernel module not present on this system"},
{"check": "USERNS", "status": "FAIL", "detail": "user.max_user_namespaces = 15980 (non-zero). Disable to block namespace step:"},
{"check": "REQUESTKEY_RULE","status": "PASS", "detail": "No cifs.spnego request-key rule found — rootful cifs.upcall will not be invoked"},
{"check": "MAC_POLICY", "status": "WARN", "detail": "No enforcing MAC policy (SELinux/AppArmor) detected"},
{"check": "FIX_SYMBOL", "status": "INFO", "detail": "CIFS module not loaded — symbol check skipped"}
]
}- name: CIFSwitch vulnerability check
run: |
chmod +x ./cifswitch-check.sh
./cifswitch-check.sh --ci | tee cifswitch-result.json
# Exit code 1 will fail the step if the runner is vulnerablecifswitch-check:
stage: security
script:
- chmod +x cifswitch-check.sh
- ./cifswitch-check.sh --ci > cifswitch-result.json
artifacts:
paths:
- cifswitch-result.jsonstage('CIFSwitch Check') {
steps {
sh 'chmod +x cifswitch-check.sh && ./cifswitch-check.sh --ci > cifswitch-result.json'
archiveArtifacts artifacts: 'cifswitch-result.json'
}
}1. Patch your kernel (when your distro package is available)
The upstream fix is commit 3da1fdf4efbc, queued for stable in kernels >= 6.18.22, >= 6.19.12, and >= 7.0. Distro backports are actively rolling out — check your vendor's security advisory for CVE-2026-46243. Until a package is available, apply the mitigations below.
2. Remove cifs-utils (breaks the attack chain entirely if you don't use CIFS/SMB mounts)
apt remove cifs-utils # Debian / Ubuntu
dnf remove cifs-utils # RHEL / Fedora / AlmaLinux2. Disable unprivileged user namespaces (blocks the namespace pivot step)
# Debian / Ubuntu
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-cifswitch.conf
# RHEL / Fedora / upstream
sysctl -w user.max_user_namespaces=0
⚠️ This may break Flatpak, rootless Podman/Docker, and Chrome/Chromium sandboxing.
3. Disable the cifs.spnego request-key rule
sed -i 's|^create cifs.spnego|#create cifs.spnego|' /etc/request-key.d/cifs.spnego.conf4. Blacklist the CIFS kernel module (if SMB network mounts are not in use)
echo 'blacklist cifs' >> /etc/modprobe.d/blacklist-cifs.conf
rmmod cifs 2>/dev/null || true
depmod -aExploitability requires cifs-utils >= 6.14 installed and unprivileged user namespaces enabled. Distributions confirmed vulnerable in default configuration include AlmaLinux 8/9, RHEL 8/9, CloudLinux 8/9/10, and several Ubuntu/Debian releases with cifs-utils present.
Distributions where default SELinux/AppArmor prevents exploitation: Ubuntu 26.04, Fedora 40–44, CentOS Stream 10, Rocky Linux 10, AlmaLinux 10, SLES 16, openSUSE Leap 16.
Not affected: Amazon Linux 2, Kali Linux 2019.4/2020.4 (cifs-utils versions lack namespace-switch).
For RHEL/CentOS/Amazon distro kernels the script defers to the vendor advisory, as backport status cannot be reliably determined from the version string alone.
bash>= 4.0- Standard coreutils (
awk,grep,cut,find,sort) - No root required for most checks; root (or
CAP_SYSLOG) needed for the kernel symbol check (FIX_SYMBOL)
- Original researcher writeup — Asim Manizada
- SecurityWeek coverage
- BleepingComputer coverage
- CloudLinux advisory and mitigation guide
- AlmaLinux advisory
- Upstream fix commit — 3da1fdf4efbc
- NVD — CVE-2026-46243
This script is provided for defensive purposes — to help administrators assess and remediate exposure. It performs read-only checks and makes no changes to the system. The PoC exploit is not included or linked here; refer to the original researcher's advisory for that.