If you have cifs-utils installed on a Linux system, you may be one command away from a root shell — even if you never mount SMB shares. CVE-2026-46243 ("CIFSwitch") is a local privilege escalation in the Linux kernel's CIFS client that has existed since 2007. A public PoC is available now, and the patch window is closing.
Affected versions
The vulnerability spans virtually every modern kernel release:
| Range | Fixed at |
|---|---|
| 2.6.24.1 – 5.10.256 | 5.10.257 |
| 5.11 – 5.15.207 | 5.15.208 |
| 5.16 – 6.1.173 | 6.1.174 |
| 6.2 – 6.6.140 | 6.6.141 |
| 6.7 – 6.12.90 | 6.12.91 |
| 6.13 – 6.18.32 | 6.18.33 |
| 6.19 – 7.0.9 | 7.0.10 |
Confirmed vulnerable distributions include AlmaLinux 9, Rocky Linux 9, CentOS Stream 9, Linux Mint 21/22, Kali Linux, SLES 15 SP7, and RHEL 6–10 (including derivatives like OpenShift and OpenStack). Debian and Ubuntu are affected if cifs-utils was installed manually.
Are you exposed?
Check if cifs-utils is installed and whether unprivileged user namespaces are enabled — both are required for exploitation:
# Check for cifs-utils
rpm -q cifs-utils 2>/dev/null || dpkg -l cifs-utils 2>/dev/null
# Check if unprivileged user namespaces are on (most distros: 1 = on)
cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null || \
sysctl kernel.unprivileged_userns_clone 2>/dev/nullIf cifs-utils is installed and unprivileged namespaces are active, you are vulnerable unless your kernel is patched. SELinux or AppArmor in enforcing mode reduces exposure but is not a reliable fix.
How to patch
RHEL, AlmaLinux, Rocky Linux, CentOS Stream:
sudo dnf update kernel cifs-utils -y
sudo rebootDebian, Ubuntu, Kali, Linux Mint:
sudo apt update && sudo apt upgrade linux-image-generic cifs-utils -y
sudo rebootSLES:
sudo zypper patch
sudo rebootIf you cannot patch immediately, the safest interim workaround is to remove the package entirely if you do not use SMB mounts:
# RHEL family
sudo dnf remove cifs-utils -y
# Debian family
sudo apt remove cifs-utils -yOr blacklist the kernel module:
echo "blacklist cifs" | sudo tee /etc/modprobe.d/disable-cifs.conf
sudo modprobe -r cifs 2>/dev/nullHow urgent is this?
CISA rates this CVSS 7.8 (High); the kernel.org CNA scores it 7.1. Either way: a low-privileged local user with no special setup can reach root. The exploit chain works by forging CIFS SPNEGO key descriptions to trick the kernel's cifs.upcall helper into loading an attacker-controlled NSS library as root. The attack requires three conditions simultaneously: cifs-utils installed, unprivileged user namespaces active (the default on most distros since 2018), and no LSM in enforcing mode blocking namespace creation.
A public PoC has been available since the embargo lifted on 27 May 2026, and the technical writeup with full exploitation details is now widely circulated. Distro patches reached production repositories around 2 June — if your systems haven't been updated since then, they are exposed to an exploit that is no longer novel.
This is not a theoretical risk. Patch, reboot, done.