CVE-2021-3493 Overview
CVE-2021-3493 is a local privilege escalation vulnerability in the Linux kernel's OverlayFS implementation. The vulnerability arises from improper validation of file capabilities with respect to user namespaces when setting file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could exploit this flaw to gain elevated privileges on affected systems.
Critical Impact
This vulnerability allows local attackers with low privileges to escalate to root-level access on vulnerable Ubuntu Linux systems. It has been actively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities catalog.
Affected Products
- Canonical Ubuntu Linux LTS versions
- Canonical Ubuntu Linux (non-LTS versions)
- Ubuntu Linux systems with unprivileged user namespaces enabled
Discovery Timeline
- 2021-04-17 - CVE-2021-3493 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2021-3493
Vulnerability Analysis
This privilege escalation vulnerability exists within the OverlayFS implementation in the Linux kernel. OverlayFS is a union filesystem that allows multiple directory trees to be overlaid to create a single merged view. The core issue stems from improper validation logic when handling file capabilities in the context of user namespaces.
Ubuntu's kernel carries a specific patch that enables unprivileged users to create overlay mounts when user namespaces are available. This patch, combined with the lack of proper namespace validation for file capabilities, creates an exploitable condition. When a user within a user namespace sets file capabilities on files in the underlying filesystem through the overlay, the kernel fails to properly validate that the user has the necessary privileges in the init namespace. This allows an attacker to set arbitrary capabilities on files, which can then be used to escalate privileges to root.
Root Cause
The root cause is improper authorization (CWE-863) combined with privilege context switching errors (CWE-270). The OverlayFS code did not adequately check whether file capability operations performed through the overlay were authorized relative to the underlying filesystem's permission model. Specifically, the validation logic failed to account for the privilege boundaries between user namespaces and the init namespace when processing capability-related extended attributes on files.
Attack Vector
The attack is performed locally by a user with low-level access to the system. The attacker exploits the vulnerability by:
- Creating a user namespace with elevated privileges within that namespace
- Mounting an overlay filesystem that includes directories the attacker controls
- Setting file capabilities (such as cap_setuid) on a binary through the overlay mount
- Executing the capability-enhanced binary outside the user namespace context
- The binary then runs with elevated capabilities, allowing the attacker to escalate to root
The exploitation requires local access but does not require any user interaction. The attack complexity is low, making it highly reliable for exploitation.
Detection Methods for CVE-2021-3493
Indicators of Compromise
- Unexpected creation of user namespaces by non-privileged users
- Suspicious overlay mount operations, particularly from non-root processes
- Files in overlay-mounted directories with unexpected capability extended attributes
- Evidence of setcap operations or manipulation of security.capability xattrs in audit logs
- Unusual process executions with file capabilities that were not administratively assigned
Detection Strategies
- Monitor for unshare(CLONE_NEWUSER) system calls that create new user namespaces from unexpected processes
- Audit overlay mount syscalls (mount -t overlay) from non-root users
- Implement file integrity monitoring on sensitive system binaries to detect capability changes
- Use Linux Audit Framework to track CAP_SETFCAP usage and capability modifications
- Deploy endpoint detection rules targeting the specific exploitation pattern of overlay + user namespace abuse
Monitoring Recommendations
- Enable kernel auditing for mount operations with auditctl -a always,exit -F arch=b64 -S mount -k overlay_mounts
- Configure alerts for processes gaining unexpected capabilities during execution
- Monitor /proc/*/ns/user for new user namespace creation events
- Implement baseline monitoring for file capabilities across the system and alert on deviations
How to Mitigate CVE-2021-3493
Immediate Actions Required
- Apply the Ubuntu security updates referenced in USN-4917-1 immediately
- If patching is not immediately possible, disable unprivileged user namespaces as a temporary workaround
- Audit systems for signs of previous exploitation
- Prioritize remediation given this vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog
Patch Information
Canonical has released security updates to address this vulnerability. The fix is available through the standard Ubuntu update mechanism. The kernel patch that resolves this issue is documented in the Linux kernel commit 7c03e2cda4a584cadc398e8f6641ca9988a39d52. Organizations using Ubuntu Linux Kernel Live Patching can apply the fix without rebooting, as documented in the Kernel Live Patch Security Notice LSN-0076-1.
Workarounds
- Disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0
- Restrict access to the unshare syscall using seccomp filters where possible
- Implement mandatory access control policies (AppArmor/SELinux) to restrict overlay mount capabilities
- Limit local shell access to trusted users only until patches can be applied
# Disable unprivileged user namespaces (temporary workaround)
echo "kernel.unprivileged_userns_clone=0" | sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf
sudo sysctl -p /etc/sysctl.d/99-disable-unpriv-userns.conf
# Verify the setting is applied
sysctl kernel.unprivileged_userns_clone
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
