Full Report
CISA has warned U.S. federal agencies about attackers targeting a high-severity vulnerability in the Linux kernel's OverlayFS subsystem that allows them to gain root privileges. [...]
Analysis Summary
# Vulnerability: Linux udisks Local Privilege Escalation (CVE-2023-0386)
## CVE Details
- CVE ID: CVE-2023-0386
- CVSS Score: Not explicitly mentioned, but marked as actively exploited and requires urgent patching, suggesting High severity.
- CWE: Likely related to Improper Privilege Management or Access Control (based on LPE description).
## Affected Systems
- Products: Linux Systems (General, impacted by the vulnerability in `udisks` or related components).
- Versions: Not specifically listed in the provided text, but confirmed to be systems that require patching against this flaw.
- Configurations: Local user access is required to exploit the flaw for privilege escalation.
## Vulnerability Description
CVE-2023-0386 is a vulnerability residing in the Linux subsystem (likely `udisks` based on context from related vulnerabilities mentioned) that allows a local user to escalate their privileges on the system to root level via a "uid mapping bug."
## Exploitation
- Status: **Actively exploited in the wild** (CISA has added it to the KEV catalog).
- Complexity: Implied to be achievable by a local user.
- Attack Vector: **Local**
## Impact
- Confidentiality: High (Root access allows access to all system data).
- Integrity: High (Root access allows modification/deletion of any system file).
- Availability: High (Root access can lead to system disruption or compromise).
## Remediation
The summary focuses on mandatory patching timelines for US Federal Agencies.
### Patches
- Patches are **available** for the flaw, as it has been previously patched. Agencies must apply these patches.
- **Deadline for FCEB Agencies:** July 8 (as per CISA BOD 22-01 enforcement).
### Workarounds
- No specific workarounds are listed in the provided text, but implementing Principle of Least Privilege (PoLP) and restricting local user accounts would be standard mitigations prior to patching.
## Detection
- CISA has added this vulnerability to its **Known Exploited Vulnerabilities (KEV) catalog**, indicating active exploitation.
- Detection efforts should focus on identifying unauthorized privilege escalation attempts or unusual activity originating from low-privileged local accounts.
## References
- CISA Advisory on KEV addition: hxxps://www.cisa.gov/news-events/alerts/2025/06/17/cisa-adds-one-known-exploited-vulnerability-catalog
- Contextual information regarding Linux LPEs: hxxps://www.bleepingcomputer.com/news/linux/new-linux-udisks-flaw-lets-attackers-get-root-on-major-linux-distros/
***
*Note: The source text also mentions another vulnerability, CVE-2025-6019, affecting udisks and allowing root access on Debian, Ubuntu, Fedora, and openSUSE, for which Qualys TRU has PoCs. This summary focuses primarily on the specifically called-out, actively exploited CVE-2023-0386.*