CIFSwitch (cifs.spnego LPE): Mitigation and Kernel Update on CloudLinux

Incident Report for CloudLinux

Update

Patched CloudLinux kernels for CL7h and CL8 are released - available in the beta channel and rolling out to stable with an immediate-install bypass command.

Target versions:
- CL7h: kernel-4.18.0-553.126.2.lve.el7h or newer
- CL8: kernel-4.18.0-553.126.2.lve.el8 or newer

To install immediately without waiting for the gradual stable rollout:
yum update cloudlinux-release --enablerepo=cloudlinux-updates-testing
yum update --enablerepo=cloudlinux-rollout-4-bypass 'kernel*'
reboot

Patched LTS kernels are released to the beta channel.

Target versions:
- CL8 LTS: kernel-lts-5.14.0-284.1101.el8.tuxcare.11.els2 or newer
- CL9 LTS: kernel-lts-5.14.0-284.1101.el9.tuxcare.11.els2 or newer

Update with:
dnf update 'kernel-lts*' --enablerepo=cloudlinux-updates-testing
reboot

Posted Jun 01, 2026 - 10:17 UTC

Update

KernelCare livepatches have been promoted to the main feed for CL7h, CL8, and CL9 (including the AlmaLinux 9.2 and 9.6 FIPS variants). KernelCare-subscribed servers running these versions receive the fix automatically on the next kcarectl --update.

Patches for CL10 and CloudLinux for Ubuntu 22.04 (Jammy) are now available in the testing feed. Apply immediately with kcarectl --update --prefix test

Posted May 29, 2026 - 19:42 UTC

Update

Who is affected

Only hosts that have cifs-utils installed and permit unprivileged user namespaces:

- CloudLinux 7h, CloudLinux 8, CloudLinux 9, CloudLinux 10, CloudLinux for Ubuntu 22.04

CloudLinux 7 (CL7) is not affected in its stock configuration. No CVE has been assigned yet.

Mitigate now (either option breaks the chain):

- Option 1 - neutralize the cifs.spnego upcall, only if this host does not mount Kerberos-authenticated SMB shares:

echo "create cifs.spnego * * /bin/false" > /etc/request-key.d/cifs.spnego.conf

- Option 2 - disable unprivileged user namespaces.

Patched kernels

- CL9 / AlmaLinux 9: kernel-5.14.0-687.5.4.el9_8 or newer - available in the AlmaLinux testing repository.

- CL10 / AlmaLinux 10: kernel-6.12.0-211.7.4.el10_2 or newer - available in the AlmaLinux testing repository.

- CL7h / CL8: rebuilds on top of the AlmaLinux 8 fix are in build/test; target versions will follow.

Promotion to production repositories is pending community verification.

KernelCare livepatches (no reboot)

- EL8 family (CL7h, CL8): on the testing feed now; promotion to the main feed expected shortly.

- EL9: built and reviewed.

Install from the testing feed:

kcarectl --update --prefix test

Until a CVE is assigned, identify the patch by its description:

kcarectl --patch-info | grep cifs.spnego

Full and continuously updated details are in the blog post.

Posted May 29, 2026 - 12:43 UTC

Update

Patched kernels for CL9/CL10 are available in the AlmaLinux testing repository. Target versions:

CL9 / AlmaLinux 9: kernel-5.14.0-687.5.4.el9_8 or newer
CL10 / AlmaLinux 10: kernel-6.12.0-211.7.4.el10_2 or newer

Promotion to production repositories is pending community verification. See the AlmaLinux advisory for upstream details.

Posted May 29, 2026 - 03:57 UTC

Identified

CIFSwitch (cifs.spnego LPE) - mitigation available; patched kernels in build, KernelCare live patches rolling out.

More details in our blog: https://blog.cloudlinux.com/cifswitch-mitigation-and-kernel-update

Posted May 28, 2026 - 18:23 UTC