BURSTCISA has added a critical Linux kernel vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that CVE-2023-0386 is being actively exploited in real-world attacks.
This improper ownership management flaw in the Linux kernel’s OverlayFS subsystem allows local attackers to escalate privileges through unauthorized access to setuid files with capabilities, posing significant risks to Linux-based systems across enterprise environments.
OverlayFS Vulnerability – CVE-2023-0386
The vulnerability, officially designated as CVE-2023-0386, resides within the Linux kernel’s OverlayFS subsystem, a union filesystem that allows one filesystem to be overlaid on top of another.
The flaw stems from improper ownership management during file operations between different mount points with varying security contexts.
Specifically, the vulnerability occurs when a user copies a capable file from a nosuid mount into another mount, triggering a uid mapping bug that bypasses normal privilege restrictions.
The technical root cause relates to CWE-282 (Improper Ownership Management), where the kernel fails to properly validate and enforce ownership permissions during file copy operations across filesystem boundaries.
When exploiting this vulnerability, attackers can manipulate the setuid mechanism, which normally allows programs to run with elevated privileges of the file owner rather than the user executing the program.
The OverlayFS implementation incorrectly handles capability inheritance during these cross-mount operations, enabling unauthorized privilege escalation.
Local attackers can exploit CVE-2023-0386 to escalate their privileges from standard user accounts to administrative or root-level access on affected Linux systems.
The vulnerability affects systems running vulnerable versions of the Linux kernel with OverlayFS enabled, which is common in containerized environments and modern Linux distributions.
The privilege escalation occurs through the manipulation of file capabilities during copy operations between mount points with different nosuid settings.
Attackers can craft malicious capable files and leverage the uid mapping flaw to execute them with elevated privileges despite security restrictions.
This type of vulnerability is especially dangerous in multi-tenant environments, containerized infrastructure, and systems where the principle of least privilege is critical for maintaining security boundaries.
| Risk Factors | Details |
| Affected Products | – Linux kernel versions prior to commit 4f11ada10d0a containing vulnerable OverlayFS implementations – Red Hat Enterprise Linux (RHEL) 7, 8, 9 and associated derivatives – NetApp ONTAP Select Drive software and NetApp SolidFire products |
| Impact | Local privilege escalation |
| Exploit Prerequisites | – Local user account with execute permissions- OverlayFS mounts with conflicting nosuid flags- Capable binaries present in source filesystem |
| CVSS 3.1 Score | 7.8 (High) |
Remediation
CISA has established a mandatory remediation timeline, requiring federal agencies to apply mitigations by July 8, 2025, following the vulnerability’s addition to the KEV catalog on June 17, 2025.
Organizations must immediately implement vendor-provided patches or apply alternative mitigations according to manufacturer instructions.
For cloud service environments, administrators should follow applicable BOD 22-01 guidance to ensure comprehensive protection across distributed infrastructure.
The recommended mitigation strategy involves applying kernel updates that address the OverlayFS ownership management flaw.
System administrators should prioritize patching Linux kernel versions that include the vulnerable OverlayFS implementation, particularly in production environments handling sensitive data or supporting critical business operations.
Organizations unable to immediately apply patches should consider temporarily disabling OverlayFS functionality or implementing additional access controls to limit local user privileges until permanent fixes can be deployed.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
The post CISA Warns of Linux Kernel Improper Ownership Management Vulnerability Exploited in Attacks appeared first on Cyber Security News.