Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild. The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible
Analysis Summary
# Vulnerability: Linux Kernel OverlayFS Improper Ownership Bug Leading to Privilege Escalation
## CVE Details
- CVE ID: CVE-2023-0386
- CVSS Score: 7.8 (High)
- CWE: Improper ownership management
## Affected Systems
- Products: Linux Kernel
- Versions: Versions prior to the fix released in early 2023. Specific versions are not enumerated in the text but post-patch versions are considered fixed.
- Configurations: Systems utilizing the OverlayFS subsystem where an unprivileged user attempts file copying operations across specific mount types.
## Vulnerability Description
The vulnerability resides in the Linux kernel's OverlayFS subsystem due to improper ownership management during file copying. Specifically, when a user copies a capable file (a file with capabilities, potentially an SUID binary) from a `nosuid` mount into another mount, the kernel fails to properly check if the user/group owning the file is mapped within the current user namespace during the copy operation to the 'upper' directory. This flaw allows a local, unprivileged user to effectively "smuggle" an SUID binary from a 'lower' directory to the 'upper' directory, resulting in the creation of a root-owned SUID binary which, upon execution, grants the attacker root privileges.
## Exploitation
- Status: Actively exploited in the wild (Placed on CISA KEV catalog).
- Complexity: Trivial to exploit (per external reporting).
- Attack Vector: Local
## Impact
- Confidentiality: High (Root access allows reading all system data)
- Integrity: High (Root access allows complete modification of the system)
- Availability: High (Root access allows complete system takeover/denial of service)
## Remediation
### Patches
- Patches were made available in early 2023. Users must ensure their Linux kernels are updated to versions including these fixes. (Specific patched kernel versions are not listed in the source.)
### Workarounds
- No specific workarounds are detailed in the source text, given the active exploitation status, immediate patching is the primary recommendation.
## Detection
- **Indicators of Compromise (IoCs):** Not explicitly detailed in the source, but typical IoCs would involve the discovery of unexpected SUID binaries in temporary or user-accessible directories, especially if owned by root and originating from user-controlled mount overlays.
- **Detection Methods and Tools:** Monitoring file system changes (e.g., via auditd) for the creation of root-owned SUID binaries in unexpected locations could be useful. Systems should be scanned to ensure all kernel versions are up-to-date.
## References
- CISA Alert: hxxps://www.cisa.gov/news-events/alerts/2025/06/17/cisa-adds-one-known-exploited-vulnerability-catalog
- Datadog Report: hxxps://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/
- Wiz Report (Related Flaws): hxxps://thehackernews.com/2023/07/gameoverlay-two-severe-linux.html