I installed latest updates, but exploit still works.
Rocky Linux 9.7 is no longer the latest. The latest is 9.8. Update your system.
Also, considering that CVE was reported 2 days ago, even if it hasn’t been fixed then it’s hardly surprising because time is required to patch and release. I suggest you wait a bit longer before posting in future because it’s also pointless posting asking if something has fixed when it’s literally only just been published.
Well, the vulnerability was publicly disclosed one week ago with PoC publicly available CIFSwitch: a non-universal Linux local root vulnerability · Hey, it's Asim , it’s only CVE number was assigned two days ago. There is also fix merged to the kernel code Making sure you're not a bot! for weeks. Considering the severity of the issue I was just surprised that it takes so long for Linux distors to pick up this fixes or even publish mitigation.
What does the “Public on May 26, 2026” on Red Hat CVE list mean: cve-details ?
From that we can gather that Rocky 8, 9, and 10 are affected and no fix is available yet.
RH security bulletin (also dated May 26) suggests mitigation: RHSB-2026-005 CIFS Upcall Privilege Escalation - Linux Kernel (CVE-2026-46243) - "CIFSwitch" | Red Hat Customer Portal
Red Hat has to backport the fix to the kernel versions that RHEL (and hence Rocky) have.
Thansk, @jlehtone ! Yeah, I know the mitigation, unfortunately in our case we do need SMB mounts 
I was going by this: NVD - CVE-2026-46243 as the RH one wasn’t appearing in my google results. Note, the dates there shows 3 days ago, hence what I posted.
To be fair, both RH pages have been updated June 3, 2026, (yesterday). Perhaps they started as minimal stubs and got more (discoverable) content within last three days.
Maybe it’s worth adding that AlmaLinux had a blog post titled “CIFSwitch (CVE-2026-46243) Patches Released” on 28 May.
Although released in the Almalinux testing repository so in reality no different than Rocky or RHEL not having it as it’s not in their official baseos or appstream repositories. Almalinux is ABI-compatible so no longer 1:1 with RHEL like Rocky aims to be. Therefore they can digress if they want to. The Rocky project isn’t interested in being ABI compatible with differing packages versions and/or patches. It’s preference is to be effectively the same as RHEL.
About the only time Rocky does release critical fixes, is like what they did with the kernel for the recent LPE’s. Whilst this one is marked as important rather than critical Rocky will wait for the official fixes. Also, if you don’t have the CIF’s packages installed, then I would guess there is no problem with those systems (at least that’s what it hints at in the RHEL CVE info).
Btw, I ended up restricting unpriviliged user namespaces as a mitigation. This way I still can use SMB mounts (hard requirement for me), but do not risk living with LPE. My way
echo "user.max_user_namespaces=0" | sudo tee /etc/sysctl.d/99-disable-userns.conf > /dev/null
sudo sysctl --system
Then to fix at least Flatpaks
sudo chmod 4755 /usr/bin/bwrap
I think no other stuff on my system used unprivileged namespaces, or at lest I can’t see anything breaking.
I think the updates for AlmaLinux were released in the testing repo on 28 May and then released in the default repos on 2 June. The vulnerability itself was also made public on 28 May with this mailing list message: https://www.openwall.com/lists/oss-security/2026/05/28/2
I’m aware of the main differences between Rocky and Alma. In recent weeks both distributions have released security updates that don’t originate from the upstream (RHEL). For Rocky they are opt-in (in the new Security repo), for Alma they are in the default repos. Both approaches have some advantages and disadvantages. Rocky could have released updates for CIFSwitch just like it did for the other vulnerabilities. I guess the difference is whether CIFSwitch is considered important enough or not?
My server instance with Rocky Linux 8 doesn’t have cifs-utils installed, but I remember that some other instances had the “System Tools” group installed and this group includes cifs-utils.
I have the same mitigation applied, it was made for Dirty Frag. CIFSwitch is yet another exploit that relies on user namespaces, so I think it’s a good idea to disable them whenever possible.
I could ask the Infra team to find out for sure, but my guess is that it’s probably not considered that important enough. The other ones were far more critical, so Rocky backported the fix into the current kernels at that time. Thus, when the fixed kernels by RHEL were released they would supercede it, and effectively bring us back inline with RHEL.
I also don’t have any of the CIF’s stuff installed as I don’t use that kind of stuff, nor userspace stuff either which could also be one of the reasons that a lot of systems won’t be affected like it, like they were the Dirty Frag or Fragnesia ones. That said, it’s no reason not to fix something by assumption that something is or not installed 
We had a community vote for having the security fixes pushed to the normal baseos/appstream repos, but the majority voted for having it as opt-in rather than forcing them to the main repositories. A lot of people like the fact that Rocky is 1:1 with RHEL rather than just ABI-compatible and this was their main reasoning about keeping those separate. I’d have preferred it in the main repositories, but there we go
Actually, just read on mattermost channels, the CIF’s switch has been pushed to the security repo, so people should see it shortly if they have it enabled.
You’re right, I can now see the new kernel packages when running dnf --enablerepo=security check-update
Is there a channel on Mattermost where you can get news like this? I’ve joined some channels including General, Development, Security and Infrastructure but maybe it’s one of the others?
When checking the changelog with dnf repoquery --changelog on Rocky 8, it looks like the backported kernel patch was ready on 29 May. Sometimes with Rocky Linux I have the feeling that things can get stuck for a few days longer than expected.
$ dnf --enablerepo=security repoquery --changelog kernel-4.18.0-553.126.1.el8_10.0.1 | head -n13
Last metadata expiration check: 1:03:08 ago on Fri 05 Jun 2026 07:22:15 PM CEST.
Changelog for kernel-4.18.0-553.126.1.el8_10.0.1.x86_64
* Fri May 29 2026 Brett Mastbergen <bmastbergen@ciq.com> - 4.18.0-553.126.1.0.1
- smb: client: reject userspace cifs.spnego descriptions (Shreeya Patel) [ciqres]
* Thu May 28 2026 Release Engineering <releng@rockylinux.org> - 4.18.0-553.126.1
- Adding prod certs and changed cert date to 20210620 (Sherif Nagy)
- Adding Rocky secure boot certs (Sherif Nagy)
- Fixing vmlinuz removal (Sherif Nagy)
- Fixing UEFI CA path (Sherif Nagy)
- Porting to 8.10, debranding and Rocky branding (Louis Abel)
- Fixing pesign_key_name values (Sherif Nagy)
* Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [4.18.0-553.126.1.el8_10]