Local root via forged cifs.spnego key description in Linux CIFS/cifs.upcall
CVE-2026-46243 is a local privilege escalation vulnerability involving the Linux kernel CIFS/SMB client and userspace cifs-utils integration via request-key. The flaw exists because cifs.spnego key descriptions include authority-bearing fields such as pid, uid, creduid, and upcall_target, and cifs.upcall treats those fields as if they originated from the kernel CIFS client. However, unprivileged users can also create or request keys of type cifs.spnego via request_key(2) or add_key(2), allowing attacker-controlled descriptions to be processed as trusted input. In the vulnerable path, a local attacker can invoke request_key("cifs.spnego", ...) with a forged description, causing the request-key rule to launch cifs.upcall as root. When upcall_target is set to app, affected cifs-utils versions may switch into attacker-specified process namespaces before the final privilege drop, and may perform NSS lookups before privileges are fully dropped. This enables root-context code execution through attacker-controlled namespace content such as a malicious /etc/nsswitch.conf and libnss_*.so.2 in a private mount namespace. The kernel fix restricts acceptance of cifs.spnego descriptions to cases where CIFS is requesting the key using its private spnego_cred, thereby rejecting userspace-forged descriptions.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a standalone Go local privilege escalation exploit, not tied to a common exploit framework. It contains 6 files: README.md, go.mod, and three code files (main.go, nss.go, trigger.go). The code implements a Go port of the CIFSwitch technique abusing Linux kernel keyring handling for cifs.spnego together with cifs-utils' cifs.upcall behavior. Repository structure and purpose: main.go is the primary entry point and orchestration logic. It performs environment checks, determines the current username, verifies prerequisites (gcc, unshare, sudo, mount, /usr/sbin/cifs.upcall, active request-key rule, user namespaces, loaded CIFS module), compiles the malicious NSS library, writes a fake nsswitch.conf, launches the namespace-isolated trigger stage, checks evidence of successful code execution as root, and finally invokes sudo -n /bin/bash -p for a root shell. nss.go contains the embedded C source template for libnss_pwn.so.2 and the helper functions that compile it and generate the fake nsswitch.conf. The malicious NSS module uses a constructor that executes immediately on dlopen(), writes an evidence log, attempts to create a passwordless sudoers entry under /etc/sudoers.d/, and if that fails, creates a setuid-root copy of /bin/bash in /var/tmp. trigger.go handles the namespace setup and exploit trigger: it re-execs the binary inside a new user and mount namespace, makes mounts private, optionally triggers CIFS module autoload via a dummy mount, masks nscd cache directories, bind-mounts the fake nsswitch.conf over /etc/nsswitch.conf or /usr/etc/nsswitch.conf, overlays attacker-controlled NSS library directories over system NSS library paths, and finally issues a forged request_key syscall for key type cifs.spnego with upcall_target=app and pid=<self>. Main exploit capability: local root privilege escalation. The exploit abuses the fact that cifs.upcall, started as root by request-key, can be induced to switch into the attacker's mount namespace before NSS lookups and before dropping privileges. By controlling nsswitch.conf and the NSS library search path inside that namespace, the attacker causes root to load libnss_pwn.so.2, whose constructor performs privileged file writes. The intended result is a passwordless sudoers rule for the current user, followed by execution of a root bash shell. A fallback path creates a setuid-root shell if direct sudoers creation fails. This is clearly an operational exploit rather than a detector: it contains full exploitation logic, runtime payload generation, namespace manipulation, syscall wrappers for request_key and keyctl, and post-exploitation steps to obtain an interactive root shell.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.