2489805 – (CVE-2026-12505) CVE-2026-12505 cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upcall

Bug 2489805 (CVE-2026-12505) - CVE-2026-12505 cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upcall

Summary: CVE-2026-12505 cifs-utils: local privilege escalation via forged cifs.spnego ...

Keywords:
Status:	NEW
Alias:	CVE-2026-12505
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2489808
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-17 10:22 UTC by OSIDB Bzimport
Modified:	2026-06-18 03:32 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-17 10:22:02 UTC

The vulnerability affects cifs.upcall in cifs-utils. When processing a cifs.spnego key request, cifs.upcall may switch into attacker-controlled namespaces before fully dropping its root privileges. During this transition, the helper performs NSS lookups using getpwuid() while still retaining privileged kernel credentials. An attacker may create a controlled user and mount namespace containing a malicious NSS configuration and NSS module. By triggering a crafted cifs.spnego request through request_key(), the attacker can cause cifs.upcall to load the malicious NSS module before privileges are fully dropped.

Note You need to log in before you can comment on or make changes to this bug.