19-Year-Old Linux Kernel Bug "CIFSwitch" Found by AI
ai security vulnerability cybersecurity linux-kernel ai security cybersecurity-topic vulnerability-topic linux-kernel-topic
trending_upTrend: ai

19-Year-Old Linux Kernel Bug "CIFSwitch" Found by AI

calendar_month June 1, 2026

Summary

A 19-year-old logic flaw in the Linux kernel, known as “CIFSwitch” (CVE-2026-46243), has been identified after nearly two decades of remaining undetected. This vulnerability allows local users with low privileges to gain full root access. What makes this discovery particularly noteworthy is not just the age of the bug, but the method of its discovery: a security engineer from SpaceX utilized an AI framework to analyze complex logic paths in the kernel code that had eluded human auditors for years.

What Happened?

  • The Discovery: Asim Manizada, a security engineer at SpaceX, found the vulnerability using a specialized AI system.
  • The Bug: It is a logic error within the kernel’s CIFS client and the associated cifs-utils helper in the userspace layer.
  • The Method: An attacker can forge an authentication request (cifs.spnego) that tricks a privileged system service into loading a malicious library into the root context.
  • Timeline: The code containing the flaw was introduced as far back as 2007 and remained unnoticed for 19 years.

Why It Matters

The discovery of CIFSwitch marks a turning point in cybersecurity. It demonstrates that AI is capable of finding “logic bombs” and subtle architectural flaws that are often missed by traditional code audits and fuzzing tests. Since the vulnerability affects numerous distributions widely used in data centers and by cloud providers (e.g., CentOS, SLES, Mint), the potential attack surface is massive.

Evidence

  • CVE Entry: CVE-2026-46243 has been officially assigned to this flaw.
  • Distributions: Confirmed security advisories have been issued for Linux Mint, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux, and SLES 15.
  • Kernel Patches: Patches for seven stable kernel branches (including 7.0.11, 6.18.34) were released on June 1, 2026.

Analysis

Unlike many prominent kernel bugs of recent years (such as Dirty Pipe or Heartbleed), CIFSwitch is not based on memory errors like buffer overflows. It is a pure logic flaw. Manizada’s AI was able to find it by creating semantic graphs of kernel objects and recognizing that certain data structures were treated as trusted by privileged processes, even though they could be manipulated by unprivileged users. This highlights the ability of LLMs to “think” across multiple levels of abstraction.

Practical Takeaways

  • Update Systems: Administrators should immediately update their kernels to the versions released on June 1.
  • Immediate Mitigations: If a patch is not available, the risk can be mitigated by uninstalling cifs-utils or disabling unprivileged user namespaces.
  • Module Blacklisting: Blacklisting the cifs kernel module completely closes the attack surface, provided that network file access via CIFS is not required.

Open Questions

  • How many more 15+ year-old bugs are dormant in the kernel, waiting to be found by AI systems?
  • Will the automated search for logic flaws by AI lead to an arms race between security researchers and state-sponsored hackers?

Sources

  1. TechRadar: Multiple Linux distros hit by major CIFSwitch flaw
  2. SecurityAffairs: SpaceX security engineer used AI to find 19-year-old Linux bug
  3. LWN.net: Seven stable kernels for the first day of June
  4. Rankiteo: New Linux CIFSwitch Vulnerability Grants Root Access