CVE-2026-46243

HIGH

smb: client: reject userspace cifs.spnego descriptions

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-46243. PoCs published by Unclecheng-li, Koshmare-Blossom, liamromanis101.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-46243, a local privilege escalation vulnerability in the Linux Kernel CIFS component. The exploit leverages a missing source validation in `cifs.spnego` key descriptions to manipulate `cifs.upcall` into loading a malicious NSS library, thereby granting root access via sudoers manipulation.

Description

In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.

Exploits (4)

github WORKING POC 504 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-46243 CIFSwitch

This repository contains a functional exploit for CVE-2026-46243, a local privilege escalation vulnerability in the Linux Kernel CIFS component. The exploit leverages a missing source validation in `cifs.spnego` key descriptions to manipulate `cifs.upcall` into loading a malicious NSS library, thereby granting root access via sudoers manipulation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel CIFS component (versions before commit 3da1fdf4efbc490041eb4f836bf596201203f8f2)
No auth needed
Prerequisites: cifs-utils installed · cifs.spnego request-key rule configured · non-privileged user namespace access
devstral-2 · analyzed Jun 07, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Koshmare-Blossom · poc
https://github.com/Koshmare-Blossom/CIFSwitch-go

This repository contains a functional Go-based exploit for CVE-2026-46243, leveraging a namespace confusion vulnerability in the Linux kernel's handling of CIFS key requests. The exploit forges a cifs.spnego key description to trick cifs.upcall into loading a malicious NSS library, achieving local privilege escalation (LPE).

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel with cifs-utils (cifs.upcall)
No auth needed
Prerequisites: cifs-utils installed · cifs kernel module loaded · unprivileged user namespaces enabled · gcc available
devstral-2 · analyzed Jun 04, 2026 Full analysis →
nomisec SCANNER
by liamromanis101 · poc
https://github.com/liamromanis101/cifswitch-check

This repository contains a shell script that checks for exposure to CVE-2026-46243, a local privilege escalation vulnerability in the Linux kernel's CIFS/SMB client. The script verifies kernel versions, cifs-utils installation, module status, user namespace settings, and other mitigations but does not include exploit code.

Classification
Scanner 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (CIFS/SMB client)
No auth needed
Prerequisites: Vulnerable kernel · cifs-utils >= 6.14 · Unprivileged user namespaces enabled
devstral-2 · analyzed Jun 03, 2026 Full analysis →
github SCANNER
by MrForkBomb · shellpoc
https://github.com/MrForkBomb/CIFSwitch-Checker-CVE-2026-46243

This repository contains a bash script that scans for the presence of components related to CVE-2026-46243 (CIFSwitch vulnerability) without exploiting it. It checks for cifs.upcall, request-key, CIFS module availability, user namespaces, and other system configurations to determine potential vulnerability.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Linux systems with CIFS/SMB components
No auth needed
Prerequisites: Access to the target system · Presence of cifs.upcall, request-key, or CIFS modules
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (10)

Core 10

Scores

CVSS v3 7.1
EPSS 0.0002
EPSS Percentile 6.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-20
Status published
Products (21)
Linux/Linux < 2.6.24
Linux/Linux 2.6.24
Linux/Linux 5.10.258 - 5.10.*
Linux/Linux 5.15.209 - 5.15.*
Linux/Linux 6.1.175 - 6.1.*
Linux/Linux 6.12.92 - 6.12.*
Linux/Linux 6.18.34 - 6.18.*
Linux/Linux 6.6.142 - 6.6.*
Linux/Linux 7.0.11 - 7.0.*
Linux/Linux 7.1-rc5
... and 11 more
Published Jun 01, 2026
Tracked Since Jun 01, 2026