Linux kernel CIFS subsystem CIFSwitch local privilege escalation privilege-escalation flaw
Vulnerability
Summary
Hide ▲
Show ▼
The Linux kernel CIFS subsystem has a disclosed CIFSwitch local privilege-escalation flaw that can let an unprivileged local attacker reach root privileges by abusing request_key and cifs.upcall in the CIFS authentication flow. The issue affects multiple Linux distributions with vulnerable kernel CIFS and cifs-utils combinations, including systems where cifs-utils ships by default. Major Linux distributions have rolled out fixes, and a proof-of-concept (PoC) is available to help validate patches, mitigations, detections, and exposure.
Related Happenings
Linux kernel improper privilege management flaw (CVE-2026-46333)
Vulnerability
H score39
First: 21.05.2026 10:35
Last: 21.05.2026 10:35
Sources 1
About this happening:
A **Linux kernel** privilege-management flaw, **CVE-2026-46333**, can let **unprivileged local users** on **Debian, Fedora, and Ubuntu** disclose **/etc/shadow** and **SSH host ke...
Linux kernel improper privilege management flaw (CVE-2026-46333)
VulnerabilityAbout this happening: A **Linux kernel** privilege-management flaw, **CVE-2026-46333**, can let **unprivileged local users** on **Debian, Fedora, and Ubuntu** disclose **/etc/shadow** and **SSH host ke...
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
Vulnerability
H score15
First: 20.05.2026 13:52
Last: 20.05.2026 13:52
Sources 1
About this happening:
**PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
VulnerabilityAbout this happening: **PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
Linux kernel rxgk local DirtyDecrypt/DirtyCBC privilege-escalation flaw (CVE-2026-31635)
Vulnerability
H score41
First: 18.05.2026 10:18
Last: 18.05.2026 10:18
Sources 1
About this happening:
A **proof-of-concept exploit** has been released for **DirtyDecrypt/DirtyCBC** (**CVE-2026-31635**), a **recently patched Linux kernel** flaw in **rxgk_decrypt_skb()** that can en...
Linux kernel rxgk local DirtyDecrypt/DirtyCBC privilege-escalation flaw (CVE-2026-31635)
VulnerabilityAbout this happening: A **proof-of-concept exploit** has been released for **DirtyDecrypt/DirtyCBC** (**CVE-2026-31635**), a **recently patched Linux kernel** flaw in **rxgk_decrypt_skb()** that can en...
Linux kernel XFRM ESP-in-TCP local privilege escalation (CVE-2026-46300)
Vulnerability
H score35
First: 14.05.2026 10:06
Last: 14.05.2026 10:06
Sources 1
About this happening:
**Fragnesia** adds a fresh **Linux kernel** local privilege-escalation path, putting **unprivileged local attackers** on a route to **root access** across major distributions. The...
Linux kernel XFRM ESP-in-TCP local privilege escalation (CVE-2026-46300)
VulnerabilityAbout this happening: **Fragnesia** adds a fresh **Linux kernel** local privilege-escalation path, putting **unprivileged local attackers** on a route to **root access** across major distributions. The...
Latest development: 14.05.2026 16:00
Cloud security firm Wiz identified Fragnesia (CVE-2026-46300) in the Dirty Frag family, a Linux local privilege escalation that lets unprivileged local users gain root by corrupting the kernel page cache of read-only files. William Bowling of Zellic and the V12 team were credited with the discovery, and a working proof-of-concept exploit was published on May 13, 2026.
Berz0k advertises zero-day Linux LPE exploit for sale
Threat Actor Meta
H score21
First: 14.05.2026 10:06
Last: 14.05.2026 10:06
Sources 1
About this happening:
**berz0k** is advertising a **zero-day Linux LPE exploit** for **$170,000** on **cybercrime forums**, signaling active monetization of root-level access in the exploit market. The...
Berz0k advertises zero-day Linux LPE exploit for sale
Threat Actor MetaAbout this happening: **berz0k** is advertising a **zero-day Linux LPE exploit** for **$170,000** on **cybercrime forums**, signaling active monetization of root-level access in the exploit market. The...
Timeline
-
01.06.2026 14:19 1 articles · 1mo ago
Major Linux distributions roll out CIFSwitch fixes
Mitigation Patch UpdateMajor Linux distributions rolled out fixes for the CIFSwitch Linux kernel CIFS privilege-escalation flaw, and Manizada published PoC code to help defenders validate patches, mitigations, detections, and exposure. Linux Mint, CentOS, Rocky Linux, Kali Linux, AlmaLinux, and SLES SAP systems that ship cifs-utils by default are vulnerable, and some distros are vulnerable only if cifs-utils was manually installed.
Show sources
- 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access — www.securityweek.com — 01.06.2026 14:19
-
30.05.2026 17:16 2 articles · 1mo ago
CIFSwitch Linux kernel flaw enables root code execution
Initial DisclosureA newly disclosed Linux kernel CIFS flaw dubbed CIFSwitch lets an unprivileged local attacker forge cifs.spnego authentication requests, abuse the kernel key request flow, and reach root privileges on vulnerable systems. The issue affects some Linux distributions shipping vulnerable kernel CIFS and cifs-utils 6.14 and higher combinations, and the researcher says an upstream kernel patch now validates cifs.spnego request origins. A proof-of-concept exploit was also published to help validate patches and mitigations.
Show sources
- New CIFSwitch Linux flaw gives root on multiple distributions — www.bleepingcomputer.com — 30.05.2026 17:16
- New CIFSwitch Linux flaw gives root on multiple distributions — www.bleepingcomputer.com — 30.05.2026 17:16