In recent days, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of the vulnerability CVE-2023-0386, detected in the Linux kernel. This vulnerability, rated as high severity, has been identified as a flaw in the management of ownership permissions within the OverlayFS subsystem. Exploitation allows local users to escalate privileges and gain administrator access, putting any affected Linux system at risk.
The error is especially worrying because It affects a wide variety of environments, from servers and virtual machines to the cloud., to containers and even Windows Subsystem for Linux (WSL) deployments. These types of scenarios, where privilege segmentation between users is critical, can be seriously compromised if appropriate patches are not applied.
What is the CVE-2023-0386 vulnerability?
The origin of the problem lies in how OverlayFS handles file copy operations with special capabilities between different mount points. Specifically, if a user copies a file with elevated permissions from a mount configured as nosuid to another mount, the kernel does not properly remove the setuid and setgid bits during the operation. This opens the door for an attacker who already has local access to execute files with root permissions, circumventing the usual restrictions.
Vulnerability affects kernel versions prior to 6.2-rc6 that have OverlayFS and user namespaces enabled. Widely used distributions such as Debian, Ubuntu, Red Hat, and Amazon Linux are on the list of vulnerable systems if they have not received the corresponding update. Furthermore, the ease with which the flaw can be exploited has been demonstrated with the publication of proofs of concept (PoC) on GitHub since May 2023, which has led to a dramatic increase in exploitation attempts.
Scope and hazards in critical environments
CVE-2023-0386 was categorized as a property management weakness (CWE-282) in OverlayFS, and can be exploited to bypass user boundaries in multi-tenant systems, enterprises, or even cloud platforms. Whether on physical or virtual machines, containers, or infrastructures that rely on file sharing, the flaw poses a considerable risk due to the ease with which it can elevate local privileges.
According to several analyses by security firms such as Datadog and Qualys, exploitation is trivial Local access is sufficient to trigger the attack, requiring no additional interaction. This makes it an ideal vector for internal attackers, compromised processes, or situations where users without administrative privileges are allowed to operate. In fact, automated campaigns that seek out and exploit systems that have not yet been patched have been observed, especially after the release of public tools and exploits.
Industry response and updates
The bug was reported and fixed in early 2023 by Miklos Szeredi., a key developer on the Linux kernel, via a dedicated commit (ID: 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3). The patch tightens user and group checking during copy operations, preventing continuity if the UID or GID mapping is invalid in the current namespace. This is intended to ensure consistency with POSIX ACLs and prevent scenarios where the default UID/GID 65534 was assigned, which could be manipulated.
Manufacturers such as NetApp were among the first to publish advisories detailing affected products., including several controller models and products that integrate pre-patched kernel versions. They confirm that exploitation can result in data access, information modification, or even denial of service (DoS) attacks. Red Hat and other vendors have also begun updating to address this vulnerability.
Recommendations and urgent measures to protect yourself against this vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-0386 to its catalog of exploited vulnerabilities and requires U.S. federal agencies to update by July 8, 2025. For all other organizations and users, the recommendation is clear:
- Upgrade to Linux kernel 6.2-rc6 or higher to ensure the bug is fixed.
- Monitor systems for anomalous privilege behavior, especially in environments with containers, multiple users, or critical infrastructure.
- In environments where the patch cannot be applied immediately, it is recommended to temporarily disable OverlayFS or restrict local access to non-administrative users as much as possible.
- Consult official notices and catalogs (CISA's KEV) and treat the vulnerability as a priority.
The assigned attack vector corresponds to CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting the high potential impact on confidentiality, integrity and availability if successfully exploited.
This vulnerability underscores the importance of keeping Linux systems constantly updated and monitored, especially in enterprise environments or those handling sensitive data. Although exploitation requires local access, the existence of public PoCs and automated attacks increase the urgency of remediating any vulnerable instances as quickly as possible. Escalating privileges to root in these circumstances can result in a loss of complete control over the infrastructure.
