CIFSwitch (CVE-2026-46243)

Document Version: 1.0 Severity: High (CVE), High (TrueNAS Impact)

CIFSwitch is a local privilege escalation vulnerability affecting the Linux kernel’s CIFS client subsystem in combination with the userspace cifs-utils package. An unprivileged local attacker can forge a cifs.spnego key request to cause the kernel to launch the cifs.upcall helper as root, then redirect that helper into an attacker-controlled namespace before it drops privileges. A malicious NSS module loaded in that namespace executes arbitrary code as root. TrueNAS CE/Enterprise ships both the vulnerable kernel CIFS module and cifs-utils with the default request-key rule that enables exploitation, and no architectural defense prevents the attack.

TrueNAS Impact: HIGH — Both prerequisites are present by default and no architectural defense mitigates this attack on TrueNAS CE/Enterprise.

• Component: Linux kernel CIFS client subsystem (fs/smb/client/cifs_spnego.c) and userspace cifs-utils (cifs.upcall helper)
• Attack Vector: Local — unprivileged local code execution on the host
• Prerequisites: cifs-utils installed with the default cifs.spnego request-key rule; CIFS kernel module loadable; unprivileged user namespace creation enabled (CLONE_NEWUSER)
• Kernel/Package Version Range: Linux kernel CIFS module from 2007 forward; cifs-utils 6.14+ (and older versions with specific backported patches)

The kernel’s cifs_spnego_key_type lacked a .vet_description hook to verify that cifs.spnego key requests originated from the kernel CIFS subsystem. The default rule in /etc/request-key.d/cifs.spnego.conf unconditionally invokes /usr/sbin/cifs.upcall as root for any cifs.spnego request, including those forged directly by an unprivileged user via request_key().

The attacker:

1. Creates a user and network namespace via unshare(CLONE_NEWUSER | CLONE_NEWNET).
2. Calls request_key("cifs.spnego", crafted_description, ...) with attacker-controlled fields including a fake pid, uid, creduid, and upcall_target=app.
3. The kernel invokes cifs.upcall as root.
4. cifs.upcall reads the attacker-supplied upcall_target=app and fake pid from the key description and uses them to switch into the attacker’s namespace before performing privilege drop.
5. Inside the attacker’s namespace, cifs.upcall performs getpwuid() NSS lookups against the attacker’s /etc/nsswitch.conf, which points to a malicious libnss_*.so.2 module.
6. The malicious NSS module executes as root before privilege drop and writes attacker-controlled content to /etc/sudoers, /etc/passwd, or a similar path to establish persistent root access.

This attack is deterministic, requires no race condition, and succeeds in a single invocation.

All currently supported TrueNAS CE/Enterprise releases are affected. The kernel fix (3da1fdf4efbc) was merged to mainline on 2026-05-16 and has not been backported to the linux-6.12.y stable branch as of this document’s date.

• 24.04.x series
• 24.10.x series
• 25.04.x series
• 25.10.x series (fixed in 25.10.4)

TrueNAS CE/Enterprise systems satisfy all prerequisites for this exploit:

• CIFS kernel module present: The cifs module is available and loadable on all SCALE releases.
• cifs-utils installed: TrueNAS CE/Enterprise ships cifs-utils (confirmed: 2:7.4-1). The cifs.upcall helper binary is present at /usr/sbin/cifs.upcall.
• Default request-key rule active: The default rule create cifs.spnego * * /usr/sbin/cifs.upcall %k is installed by the cifs-utils package and is active in /etc/request-key.d/cifs.spnego.conf.
• Unprivileged user namespaces enabled: CLONE_NEWUSER is available to unprivileged processes on TrueNAS CE/Enterprise.
• No enforcing LSM: TrueNAS CE/Enterprise does not ship AppArmor or SELinux in enforcing mode. Policies that would block namespace switching or request_key() are not applied.

No architectural defense on TrueNAS CE/Enterprise prevents exploitation of this vulnerability in the absence of the kernel patch. The attacker achieves root code execution through a trusted userspace helper; the malicious NSS module runs with full root capability before any filesystem interaction that could be intercepted by storage-layer defenses.

Testing performed:

• No internal exploit testing has been completed as of this document’s date. The attack surface analysis is based on confirmed package inventory and kernel configuration. Testing is in progress.

CIFSwitch is a deterministic local privilege escalation that affects a broad range of Linux distributions shipping cifs-utils with default configuration. The exploit requires no race condition and succeeds reliably in a single invocation. A public proof-of-concept has been released. The attack is confirmed working against Fedora, Ubuntu, CentOS, SLES, Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux, openSUSE, Debian, Linux Mint, Pop!_OS, and Kali Linux. No CVE has been assigned and no stable-branch kernel patch is available as of this document’s date.

TrueNAS CE/Enterprise satisfies all exploit prerequisites with default configuration and has no architectural defense that prevents this attack. The risk is constrained by the same factor that bounds all local-only attacks on TrueNAS: the appliance deployment model limits local code execution to trusted administrators. However:

• TrueNAS Apps and custom containers allow tenant workloads to execute code on the host kernel. A malicious or compromised application running in a TrueNAS App environment could exploit this vulnerability to escape to root on the host.
• TrueNAS installations with multiple local administrator accounts face real escalation risk if non-root shell access is granted to any of those accounts.
• The local-only constraint does not reduce risk in environments where local access is part of the threat model.

The assessment is HIGH rather than CRITICAL because remote exploitation is not possible and stock appliance deployments with no untrusted local code execution have limited practical exposure.

Two persistent mitigation options are available. Both prevent exploitation by removing a required exploit prerequisite.

Option 1 — Blacklist the CIFS kernel module (recommended for most deployments):

Blacklisting the cifs module prevents the kernel from launching cifs.upcall in response to any cifs.spnego request, blocking the exploit at the kernel level. This does not affect TrueNAS SMB serving (which uses Samba in userspace) but will prevent the TrueNAS host from mounting CIFS/SMB shares as a client.

midclt call system.advanced.update '{"kernel_extra_options": "module_blacklist=cifs"}'

A reboot is required for the kernel parameter to take effect. This mitigation persists across reboots and propagates to the HA standby controller.

Option 2 — Negate the cifs.spnego request-key rule:

Replacing the default rule with a negate entry prevents cifs.upcall from being invoked for any cifs.spnego request. This is more targeted than Option 1 — the CIFS client module remains functional for non-Kerberos mounts — but breaks Kerberos authentication for CIFS client mounts.

Edit /etc/request-key.d/cifs.spnego.conf and replace its contents with:

negate  cifs.spnego    * * /bin/false

Note: this file may be overwritten on cifs-utils package upgrade. Verify after system updates.

Verification (either option):

After rebooting, confirm the mitigation is active:

# Option 1: confirm module is not loaded
lsmod | grep cifs && echo "WARNING: cifs loaded" || echo "cifs not loaded"

# Option 2: confirm rule is negated
grep negate /etc/request-key.d/cifs.spnego.conf

Reversion (after upgrading to TrueNAS 25.10.4 or later):

midclt call system.advanced.update '{"kernel_extra_options": ""}'

Deployments running untrusted or third-party applications in the TrueNAS Apps system should apply one of the above mitigations promptly. A compromised or malicious App process with access to request_key() can use this vulnerability to escalate to host root. Standard container namespace isolation does not prevent this attack.

Clear the request_key subsystem state after testing. Exploit success modifies /etc/sudoers or similar files in the host namespace; those changes persist until manually reverted or the system is restored from backup.

The upstream fix adds a .vet_description callback to cifs_spnego_key_type in fs/smb/client/cifs_spnego.c. The callback rejects any key instantiation request whose calling credential does not match the internal spnego_cred established by the kernel CIFS subsystem, preventing unprivileged userspace from triggering cifs.upcall via a forged request_key() call.

Fix commit (mainline): 3da1fdf4efbc490041eb4f836bf596201203f8f2 smb: client: reject userspace cifs.spnego descriptions Merged: 2026-05-16; present in v7.1-rc5

Status in linux-6.12.y stable: Not yet backported as of Linux 6.12.88 (2026-05-14).

TrueNAS fix: Scheduled for inclusion in TrueNAS 25.10.4.

• Researcher disclosure: “CIFSwitch” by Asim Viladi Oglu Manizada — https://heyitsas.im/posts/cifswitch
• oss-security disclosure: https://seclists.org/oss-sec/2026/q2/717
• Upstream fix: https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2
• TrueNAS Security: https://security.truenas.com

CIFSwitch (CVE-2026-46243) represents a genuine local privilege escalation risk to TrueNAS CE/Enterprise. Both exploit prerequisites — the CIFS kernel module and cifs-utils with its default request-key rule — are present in all supported TrueNAS CE/Enterprise releases, and no architectural defense prevents the attack. The risk is primarily constrained by the local-access requirement; deployments running untrusted App workloads or granting non-root shell access face materially higher exposure. Either mitigation option above should be applied in environments where local code execution by non-trusted parties is possible. This assessment will be updated when internal exploit testing against TrueNAS CE/Enterprise is complete. A fix will be included in TrueNAS 25.10.4.

This document will be updated as additional information becomes available or if circumstances change.