High-Fidelity CIFSwitch (CVE-2026-46243) Detection

This skill provides automated, read-only security auditing for the "CIFSwitch" vulnerability—a high-severity Local Privilege Escalation (LPE) flaw that affects Linux systems using CIFS and cifs-utils. It eliminates the guesswork of manual CVE assessment by executing a multi-stage heuristic analysis of the kernel, userspace helpers, and system configurations.

What it does

• Kernel Verification: Scans for unpatched versions and checks /proc/kallsyms for the definitive fix symbol (cifs_spnego_key_vet_description).
• Component Audit: Identifies if cifs-utils >= 6.14 is present and if the rootful cifs.upcall helper is exposed.
• Attack Path Mapping: Evaluates if cifs.spnego request-key rules are active and if the CIFS module is loadable.
• Mitigation Analysis: Checks status of unprivileged user namespaces, SELinux/AppArmor policies, and container capabilities.

Why use this skill?

Identifying this CVE manually is error-prone because it requires correlating kernel patches with specific userspace utility versions and active request-key configurations. This skill provides a "one-shot" diagnosis with CI/CD-ready exit codes, allowing you to gate deployments or audit entire clusters programmatically. It requires no modification to the target system and offers clear remediation steps upon detection.

Output

The skill generates a structured diagnostic report (JSON or Human-readable) identifying specific vulnerable conditions and a clear "VULNERABLE" or "MITIGATED" status, along with direct remediation commands.