A high-severity privilege escalation flaw, designated CVE-2023-0386 (CVSSv3: 7.8), has been identified in the Linux kernel’s OverlayFS subsystem.
The vulnerability stems from improper ownership management during file copy operations between nosuid mounts, enabling local attackers to bypass security restrictions and escalate privileges to root.
Technical Mechanism:
- The flaw occurs in OverlayFS’s copy-up operation, which merges files from a lower directory (read-only) to an upper directory (writeable).
- The kernel fails to validate user namespace mappings when copying setuid files with capabilities, allowing unprivileged users to inject malicious binaries.
- Attackers exploit this by creating a FUSE (Filesystem in User Space) mount with a forged setuid binary.
- When copied to a world-writable directory (e.g.,
/tmpThe binary retains root privileges, enabling code execution with elevated rights.
Affected systems include Linux kernels < 6.2, with confirmed impacts on RHEL 8/9, Ubuntu, Debian, and NetApp products.
Technical Impact and Exploit Details
Proof-of-Concept (PoC) Exploitation:
- FUSE Mount Creation: An attacker mounts a malicious FUSE filesystem containing a root-owned setuid binary.
- OverlayFS Abuse: The binary is copied via OverlayFS to a directory without
nosuidrestrictions. - Privilege Escalation: Executing the binary grants root access, bypassing Linux’s user namespace controls.
Diagnostic Command:
bashuname -r # Check kernel version (vulnerable if output < 6.2)[1]
Related Weaknesses:
- CWE-282: Improper Ownership Management – Fails to enforce proper UID/GID mappings across namespaces.
Mitigation and Risk Management
| Risk Factor | Description | Severity |
|---|---|---|
| Privilege Escalation | Local users gain root access via setuid manipulation | High |
| Affected Systems | Linux distributions using kernel versions < 6.2 (e.g., RHEL 8/9, Ubuntu) | High |
| Attack Vector | Requires local access; exploitable via FUSE or OverlayFS operations | Medium |
| Exploit Availability | Public PoC code available on GitHub | High |
| Mitigation | Update kernel, apply vendor patches, or discontinue use if unpatchable | Critical |
Recommended Actions:
- Patch Immediately: Upgrade to Linux kernel ≥ 6.2 or apply vendor-specific updates (e.g., Ubuntu kernel livepatch).
- Enforce BOD 22-01: For federal systems, disable OverlayFS in untrusted environments or restrict FUSE mounts.
- Monitor for Exploits: Use intrusion detection systems to flag unauthorized setuid file creation.
With a due date of July 8, 2025, organizations must prioritize patching to avoid breaches.
While no ransomware campaigns have been linked to CVE-2023-0386 yet, the public PoC heightens exploitation risks.
System administrators are advised to audit local user permissions and validate kernel versions across critical infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The vulnerability stems from improper ownership management during file copy operations between nosuid mounts){kind=link}