The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning about a Linux kernel vulnerability that is actively being exploited by attackers. The flaw, identified as CVE-2023-0386, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This means it is a confirmed, real-world threat that security teams should urgently address.
CVE-2023-0386
The CVE-2023-0386 vulnerability is a privilege escalation flaw found in the Linux kernel, particularly in the OverlayFS subsystem. The issue arises from improper ownership management when files with special capabilities (like setuid) are moved between certain types of file systems.
Although the vulnerability was patched in early 2023, many systems remain unpatched or misconfigured, making them easy targets for cyber attackers. With a CVSS score of 7.8, this bug is considered high severity.
According to CISA, this vulnerability allows a local attacker to gain elevated privileges, potentially giving them root-level access on the system. This means a user with limited permissions could exploit the flaw to completely take over the affected machine.
The core problem lies in how OverlayFS handles file ownership when copying data between file systems. OverlayFS is commonly used in Linux to merge multiple file systems into a single virtual file system.
In this case, an attacker can exploit the OverlayFS mechanism to move a specially crafted file from a “nosuid” mount (a mount that ignores set-user-ID bits) to a writable mount. This causes the Linux kernel to mistakenly allow execution of the file with elevated privileges, as it skips necessary checks during the file transfer.
Security researchers at Datadog, in a May 2023 report, explained that the exploit is relatively simple to perform. An attacker can trick the kernel into creating a setuid binary (a type of executable file that runs with elevated privileges) in a temporary folder like /tmp. Once executed, this binary runs with root permissions, giving the attacker full control.
The key mistake, according to Datadog, is that “when the kernel copied a file from the overlay file system to the ‘upper’ directory, it did not verify whether the user or group that owned the file was actually mapped in the current user namespace.” In simple terms, this means the kernel did not properly check who owns the file and whether that user should be allowed to execute it with elevated privileges.
Later in 2023, cloud security company Wiz uncovered two more Linux kernel vulnerabilities that resemble CVE-2023-0386. These are identified as:
CVE-2023-32629
CVE-2023-2640
Wiz researchers referred to these flaws as GameOver(lay) vulnerabilities. They also affect the OverlayFS mechanism and were specifically observed in Ubuntu Linux systems.
“These flaws allow attackers to craft special executable files. When run, these files can elevate the user’s privileges to root level on the affected system,” Wiz reported. The similarities between these bugs and CVE-2023-0386 underline a broader issue with how OverlayFS handles file ownership and permissions.
Given the serious nature of this vulnerability and its active exploitation in the wild, CISA has instructed all Federal Civilian Executive Branch (FCEB) agencies to apply patches addressing CVE-2023-0386 by July 8, 2025.
This mandate aims to protect federal networks from known threats and ensure that systems running Linux are not left exposed to attackers who could use this vulnerability to escalate their access and compromise sensitive data or infrastructure.
Although the exploit is currently limited to local access (meaning the attacker needs to already have some access to the system), it is often used in combination with other vulnerabilities or phishing attacks that give the attacker a foothold. From there, CVE-2023-0386 can be used to gain full control.
Organizations running Linux systems, especially those using OverlayFS or running Ubuntu-based environments, should take immediate action:
Apply the latest security patches to the Linux kernel.
Check system configurations for unsafe OverlayFS usage.
Audit file systems for unexpected SUID binaries.
Limit user access to reduce potential for local attacks.
Use kernel hardening techniques like AppArmor or SELinux for additional security.
Security teams should also monitor CISA’s KEV catalog regularly, as it highlights vulnerabilities that are not only dangerous but also actively being used by attackers in the real world.
The active exploitation of CVE-2023-0386 highlights the importance of proactive patch management and Linux kernel security. Although this vulnerability was patched over a year ago, the fact that it is still being abused shows how critical it is to stay up to date with system updates and threat intelligence.
With OverlayFS flaws continuing to surface, administrators should treat all filesystem-related vulnerabilities with high priority. Cyber attackers are increasingly targeting overlooked components like file systems to gain access and maintain persistence.
By following CISA’s guidance and securing vulnerable Linux systems, organizations can reduce their exposure to privilege escalation attacks and avoid potentially devastating consequences.
Interesting Article : TP-Link Router Vulnerability CVE-2023-33538 Under Active Exploit, Warns CISA
Pingback: CVE-2025-23121: Veeam Backup & Replication Hit by 9.9 Severity Vulnerability