In the Linux kernel

CVE-2026-46243 is a local privilege escalation in the Linux kernel CIFS client path. A low-privileged user can forge a cifs.spnego key description, trigger the default request-key rule, and get the root-run cifs.upcall helper to trust attacker-controlled fields like pid, uid, creduid, and upcall_target. In practice, exploitation needs several moving parts at once: a vulnerable kernel path, an affected cifs-utils build and default cifs.spnego rule, the cifs module available, unprivileged user namespaces enabled, and an LSM policy that does not shut the chain down. The kernel-side bug dates back to 2007; the researcher notes affected cifs-utils is nominally 6.14+, with some older distro backports also pulled into the blast radius.

The vendor HIGH 7.8 rating is technically defensible for impact, but it overstates enterprise urgency when you factor in the real attack path. This is post-initial-access by definition: the attacker already has code execution as a local user, then still needs the right package mix and namespace/LSM behavior. Public PoC and reliable root impact keep this out of LOW, but the layered prerequisites and lack of KEV / active exploitation evidence push it down to MEDIUM for most 10,000-host fleets.

Why this verdict

• Downgrade for attacker position: AV:L/PR:L means the attacker is already on the box. That implies prior compromise or an untrusted local-user model, which is compounding downward pressure on severity.
• Downgrade for exposure fraction: exploitation needs cifs-utils, the default cifs.spnego request-key rule, cifs support, and unprivileged user namespaces. Many enterprise Linux servers will miss at least one of those.
• Downgrade for platform controls: default SELinux/AppArmor blocks the chain on several mainstream configurations per the researcher testing. Modern host hardening can stop the exploit without the patch.
• Upgrade from LOW because root is real: once the chain lands, impact is full root compromise on the host, not a sandbox escape with limited blast radius.
• Upgrade from LOW because PoC is public: this is not a theoretical logic issue buried in a changelog; there is public weaponization guidance and practical distro testing.
• No extra uplift from threat intel: no KEV listing and no authoritative active exploitation evidence, which removes the strongest argument for HIGH in patch-priority terms.

Why not higher?

A higher rating would fit only if this were unauthenticated remote, broadly reachable across default fleets, or already showing active exploitation. It is none of those. The exploit chain assumes a prior foothold and then still depends on a fairly specific local configuration profile.

Why not lower?

This is not harmless hygiene. The end state is root, the exploit path is public, and shared Linux environments like CI workers, jump hosts, research clusters, and multi-user dev boxes are exactly where local privescs matter most. If you operate those populations at scale, ignoring this would be a mistake.

1. Override the cifs.spnego request-key rule — Replace the default helper invocation with a negation rule so forged cifs.spnego requests do not launch cifs.upcall as root. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but if you run shared Linux or CI workers, do this early because it cleanly cuts the exploit chain.
2. Disable unprivileged user namespaces where you can — Set kernel.unprivileged_userns_clone=0 on hosts that do not require rootless containers or similar userns features. This removes a critical prerequisite from the public exploit path; again, there is no mitigation SLA — go straight to the 365-day remediation window, but it is a high-value hardening step for exposed host classes.
3. Block or unload cifs on non-SMB clients — If the host never mounts SMB/CIFS shares, blacklist or remove the cifs module so the vulnerable kernel path is not reachable in practice. Do this during normal hardening work within the MEDIUM remediation window, and validate business impact first because it breaks CIFS mounts.
4. Remove cifs-utils from unnecessary hosts — If cifs-utils is present only by image inheritance, remove it from server and container-node baselines that do not need SMB client auth. That strips out the root helper and default request-key rule from the attack path; schedule as standard platform hygiene inside the remediation window.
5. Add audit coverage for keyring syscalls — Log request_key and add_key activity, especially low-privilege calls involving cifs.spnego, and alert on cifs.upcall ancestry from non-kernel processes. This does not fix the bug, but it improves your odds of spotting exploit attempts while patch rollout catches up.

Run this on the target Linux host as root if possible, though it can still gather partial evidence unprivileged. Invoke it as bash check-cve-2026-46243.sh; it inspects distro/kernel versions where known, plus exploit preconditions like cifs-utils, the cifs.spnego rule, cifs availability, and unprivileged user namespaces. Output is PATCHED, VULNERABLE, or UNKNOWN.

#!/usr/bin/env bash
# check-cve-2026-46243.sh
# Determine likely exposure to CVE-2026-46243 (CIFSwitch)
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

status="UNKNOWN"
reason=()

have_cmd() { command -v "$1" >/dev/null 2>&1; }

ver_ge() {
  # returns 0 if $1 >= $2 using sort -V
  [ "$(printf '%s\n%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

os_id="unknown"
os_ver="unknown"
if [ -r /etc/os-release ]; then
  . /etc/os-release
  os_id="${ID:-unknown}"
  os_ver="${VERSION_ID:-unknown}"
fi

kernel_rel="$(uname -r 2>/dev/null || echo unknown)"
userns="unknown"
if [ -r /proc/sys/kernel/unprivileged_userns_clone ]; then
  userns="$(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null)"
fi

cifsutils="absent"
if have_cmd dpkg-query; then
  if dpkg-query -W -f='${Status} ${Version}\n' cifs-utils 2>/dev/null | grep -q 'install ok installed'; then
    cifsutils="installed"
    cifsutils_ver="$(dpkg-query -W -f='${Version}\n' cifs-utils 2>/dev/null)"
  fi
elif have_cmd rpm; then
  if rpm -q cifs-utils >/dev/null 2>&1; then
    cifsutils="installed"
    cifsutils_ver="$(rpm -q --qf '%{VERSION}-%{RELEASE}\n' cifs-utils 2>/dev/null)"
  fi
fi
cifsutils_ver="${cifsutils_ver:-n/a}"

rule_state="missing"
if [ -f /etc/request-key.d/cifs.spnego.conf ]; then
  if grep -Eq 'keyctl[[:space:]]+negate' /etc/request-key.d/cifs.spnego.conf 2>/dev/null; then
    rule_state="negated"
  elif grep -Eq 'cifs\.upcall' /etc/request-key.d/cifs.spnego.conf 2>/dev/null; then
    rule_state="helper"
  else
    rule_state="custom"
  fi
fi

cifs_mod="unknown"
if grep -qw '^cifs' /proc/modules 2>/dev/null; then
  cifs_mod="loaded"
elif have_cmd modinfo && modinfo cifs >/dev/null 2>&1; then
  cifs_mod="available"
else
  cifs_mod="absent_or_builtin_unknown"
fi

# Debian fixed kernel package thresholds from Debian tracker.
# We can only confidently assess Debian-family package streams here.
if [ -r /etc/debian_version ] && have_cmd dpkg-query; then
  linux_pkg_ver="$(dpkg-query -W -f='${Version}\n' linux-image-$(uname -r) 2>/dev/null || true)"
  if [ -n "$linux_pkg_ver" ]; then
    case "$os_ver" in
      11*) if ver_ge "$linux_pkg_ver" "5.10.257-1"; then status="PATCHED"; reason+=("Debian 11 kernel package >= 5.10.257-1"); fi ;;
      12*) if ver_ge "$linux_pkg_ver" "6.1.174-1"; then status="PATCHED"; reason+=("Debian 12 kernel package >= 6.1.174-1"); fi ;;
      13*) if ver_ge "$linux_pkg_ver" "6.12.90-2"; then status="PATCHED"; reason+=("Debian 13 kernel package >= 6.12.90-2"); fi ;;
    esac
  fi
fi

# Exposure logic if not already PATCHED
if [ "$status" != "PATCHED" ]; then
  exploitable_prereqs=0

  if [ "$cifsutils" = "installed" ]; then exploitable_prereqs=$((exploitable_prereqs+1)); else reason+=("cifs-utils not installed"); fi
  if [ "$rule_state" = "helper" ]; then exploitable_prereqs=$((exploitable_prereqs+1)); else reason+=("cifs.spnego helper rule not active"); fi
  case "$cifs_mod" in
    loaded|available|absent_or_builtin_unknown) exploitable_prereqs=$((exploitable_prereqs+1)) ;;
  esac
  if [ "$userns" = "1" ]; then exploitable_prereqs=$((exploitable_prereqs+1)); else reason+=("unprivileged user namespaces disabled or unknown"); fi

  # If all practical prereqs are present and we do not know the kernel is fixed, call it VULNERABLE.
  if [ "$exploitable_prereqs" -ge 4 ]; then
    status="VULNERABLE"
    reason+=("all major public exploit prerequisites present; kernel patch level not proven fixed")
  else
    status="UNKNOWN"
    reason+=("kernel patch level not proven fixed, but one or more exploit prerequisites are absent")
  fi
fi

echo "CVE-2026-46243 assessment"
echo "OS: $os_id $os_ver"
echo "Kernel: $kernel_rel"
echo "cifs-utils: $cifsutils ($cifsutils_ver)"
echo "cifs.spnego rule: $rule_state"
echo "cifs module: $cifs_mod"
echo "kernel.unprivileged_userns_clone: $userns"
echo "RESULT: $status"
printf 'WHY: %s\n' "${reason[*]}"

case "$status" in
  PATCHED) exit 0 ;;
  VULNERABLE) exit 1 ;;
  *) exit 2 ;;
esac

Sources

1. NVD CVE-2026-46243
2. oss-sec CVE assignment and disclosure thread
3. Asim Manizada write-up: CIFSwitch
4. Public PoC repository
5. Red Hat bulletin RHSB-2026-005
6. Debian security tracker
7. CIQ/Rocky mitigation and patched kernel guidance
8. CISA Known Exploited Vulnerabilities Catalog