Cybersecurity Announcement: Linux Kernel Privilege Escalation to Root Vulnerability - CIFSwitch

This document is the cybersecurity announcement for the CIFSwitch Linux LPE vulnerability.

About the Event

CIFSwitch is a Linux LPE vulnerability which targets the Common Internet File System (CIFS) kernel module in Linux.

Actions to Consider

This attack is similar to Copy-Fail. As it is a consistent Local Privilege Escalation (LPE), no race condition is necessary. Cybersecurity recommends Linux administrators evaluate their risks and apply the backported kernel patch during their next patching cycle. There are also migitation instructions included in the articles linked in the References section.

If you believe you may have been compromised please contact the Office of Cybersecurity at cybersecurity@cio.wisc.edu.

Event Impact

Any local unprivileged user would be able to obtain root-level access resulting in a full system takeover. Proof of concept code is already publicly available. The CIFS module may be enabled or disabled by default depending on your distro. Please see

https://heyitsas.im/posts/cifswitch/#distro-impact-tables to view affected distributions.

References

https://heyitsas.im/posts/cifswitch/

https://github.com/manizada/CIFSwitch

https://github.com/torvalds/linux/commit/3da1fdf4efbc490041eb4f836bf596201203f8f2

↑ Up: Linux Kernel Privilege Escalation to Root Vulnerabilities Tracker

Keywords:

Linux LPE local privilege escalation copy fail CIFSwitch

Doc ID:

161613

Owned by:

Jamie G. in Cybersecurity Testing and Cyber Defense

Created:

2026-05-28

Updated:

2026-05-28

Sites:

Cybersecurity Testing and Cyber Defense, Cybersecurity Vulnerablity Management

0 0 Comment Suggest new doc