Skip to main content

cifs-utils EUVDEUVD-2026-37834

| CVE-2026-12505 HIGH
Execution with Unnecessary Privileges (CWE-250)
2026-06-18 redhat GHSA-58j9-p7xf-pjx7
7.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only via request_key with any unprivileged account (AV:L, PR:L); no user interaction or special conditions on default RHEL (AC:L, UI:N); root code execution yields full C/I/A impact within the host scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 04:45 vuln.today
CVE Published
Jun 18, 2026 - 03:34 cve.org
HIGH 7.8

DescriptionCVE.org

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted request_key payload to trick the root-owned helper into entering a custom environment (namespace) containing a malicious NSS module. This forces the system to load the attacker's controlled NSS Module and configuration, allowing them to execute arbitrary commands as the root user, elevating their privileges and fully compromising the system.

AnalysisAI

Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusing the kernel request_key interface to load a malicious NSS module inside an attacker-controlled mount namespace. The root-owned helper fails to drop privileges before performing user-name resolution, so the attacker's NSS module executes with full root capabilities. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain unprivileged local shell
Delivery
Stage malicious libnss_*.so and nsswitch.conf
Exploit
Enter attacker-controlled mount/user namespace
Install
Invoke crafted request_key for cifs key type
C2
Kernel spawns root cifs.upcall in tainted env
Execute
Helper dlopens malicious NSS module as root
Impact
Execute payload, gain root shell

Vulnerability AssessmentAI

Exploitation Attacker must already have a local interactive or code-execution foothold as any unprivileged UID on the target host, with permission to call the request_key(2) syscall for the 'cifs' key type and to create a user or mount namespace (the default on modern unprivileged-userns-enabled kernels including RHEL 8+, OpenShift worker nodes, and most SUSE configurations). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals converge on a credible but not urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged shell user on a vulnerable RHEL host writes a malicious libnss_evil.so plus a custom nsswitch.conf into a directory they control, enters a new user/mount namespace, and issues a crafted request_key call that the kernel forwards to the root-owned cifs.upcall helper. The helper, still running as root, performs an NSS user lookup inside the attacker's environment, dlopen()s the malicious module, and executes the attacker's code as root. …
Remediation Upstream fix available (commit 972c5b5ff95e3e812bc8daa72d0383654ab0dba7 in git.samba.org cifs-utils); released patched version not independently confirmed in the supplied data, so consume the cifs-utils errata package from your distribution (Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12505, equivalent SUSE update once published) and verify the installed cifs-utils build includes that commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all CIFS-dependent systems (RHEL 6, 7, 8, 9, 10 and OCP 4.x) and disable CIFS/SMB mounting where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

EUVD-2026-37834 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy