Skip to main content
CVE Vulnerability Database

CVE-2023-0386: Linux Kernel Privilege Escalation Flaw

CVE-2023-0386 is a privilege escalation vulnerability in the Linux kernel's OverlayFS subsystem allowing local users to gain elevated privileges. This article covers technical details, affected systems, and mitigation.

Updated:

CVE-2023-0386 Overview

CVE-2023-0386 is a local privilege escalation vulnerability in the Linux kernel's OverlayFS subsystem. The flaw allows an unprivileged local user to gain root privileges by copying a setuid file with capabilities from a nosuid mount into another mount. The kernel fails to correctly handle user ID (UID) mapping during the copy-up operation, allowing the resulting file to retain its setuid bit and capabilities in a context where the calling user can execute it with elevated privileges. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw is tracked under [CWE-282: Improper Ownership Management].

Critical Impact

A local unprivileged user can escalate to root on affected Linux systems by abusing OverlayFS UID mapping during setuid file copy-up.

Affected Products

  • Linux Kernel (multiple versions through 6.2-rc5)
  • Canonical Ubuntu Linux 18.04 LTS, 20.04 LTS, 22.04 LTS
  • Debian Linux 10
  • NetApp H300S, H500S, H700S, H410S, H410C and associated firmware

Discovery Timeline

  • 2023-03-22 - CVE-2023-0386 published to NVD
  • 2023-04-20 - NetApp publishes security advisory NTAP-20230420-0004
  • 2023-06 - Debian LTS releases security update for affected kernel packages
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2023-0386

Vulnerability Analysis

The vulnerability resides in the Linux kernel's OverlayFS (Overlay Filesystem) subsystem, which stacks an upper writable layer on top of a lower read-only layer. When a user copies a file from a nosuid mount (where setuid bits are ignored) into an overlay mount that does not enforce nosuid, the kernel performs a copy-up operation. During this operation, the kernel improperly preserves the setuid bit and file capabilities while remapping ownership, producing an executable that runs with elevated privileges in a namespace controlled by the attacker.

The vulnerability is classified under [CWE-282: Improper Ownership Management]. It is exploitable by any local user with the ability to create user namespaces, a default capability on most modern Linux distributions. The EPSS score reflects a high probability of exploitation activity, and CISA KEV listing confirms in-the-wild abuse.

Root Cause

The root cause is incorrect UID mapping logic in ovl_copy_up_meta_inode_data() and related copy-up routines. When a file is moved from a nosuid lower layer to the overlay's upper layer, the kernel does not strip the S_ISUID and S_ISGID bits or capability extended attributes. The resulting file inherits attacker-controlled ownership in a user namespace while retaining its privileged execution bits when accessed from the host namespace. The fix, committed as 4f11ada10d0a, addresses the metadata-only copy-up path to correctly handle these attributes.

Attack Vector

Exploitation requires local access and the ability to create user and mount namespaces. The attacker prepares a setuid-root binary or a binary with file capabilities (such as cap_setuid+ep) on a filesystem the attacker controls. The attacker mounts an overlay filesystem with that binary in the lower layer, then triggers a copy-up by modifying the file's metadata. The copied file in the upper layer preserves the privileged attributes. Executing the resulting file grants root privileges or the embedded capabilities. Public exploit code has been published demonstrating reliable root escalation against affected kernels.

For technical details on the exploitation primitive, see the Linux Kernel Commit 4f11ada10d0a and the Packet Storm Security Notice.

Detection Methods for CVE-2023-0386

Indicators of Compromise

  • Unexpected setuid or capability-bearing binaries appearing in user-writable directories or under /tmp overlay upper directories
  • Process execution chains where an unprivileged user spawns a setuid binary from a non-system path and gains UID 0
  • Creation of user namespaces (unshare -U or clone(CLONE_NEWUSER)) immediately followed by mount syscalls for overlay filesystem type by non-root users
  • Kernel audit events showing mount syscalls with fstype=overlay originating from unprivileged UIDs

Detection Strategies

  • Enable Linux audit rules on execve for binaries with setuid bit or file capabilities executed from non-standard paths
  • Monitor mount syscalls for overlay filesystem creation by non-root users using auditd or eBPF telemetry
  • Correlate user namespace creation events with subsequent privilege transitions to UID 0
  • Inspect /proc/*/status for processes where effective UID differs from real UID without matching system setuid binary inode

Monitoring Recommendations

  • Collect execve, mount, unshare, and setuid syscall telemetry from all Linux hosts and forward to a central analytics platform
  • Alert on capability sets (CapEff) containing cap_sys_admin or cap_setuid for processes spawned from user-writable filesystem paths
  • Baseline normal overlay mount activity on container hosts to distinguish legitimate runtime activity from abuse
  • Track kernel version inventory across the fleet and flag hosts running unpatched kernels exposed to local users

How to Mitigate CVE-2023-0386

Immediate Actions Required

  • Apply vendor kernel updates from your distribution as soon as practical, prioritizing multi-tenant and shared-access systems
  • Reboot affected systems after applying kernel packages, or apply live patches where supported by the distribution
  • Audit which local user accounts have shell access on Linux servers and reduce exposure on systems pending patch
  • Disable unprivileged user namespaces where not required by application workloads

Patch Information

The upstream fix is committed in the Linux kernel as commit 4f11ada10d0a. Distribution-specific updates are available from the Debian Security Advisory DSA-5402, the Debian LTS Security Announcement, and the NetApp Security Advisory NTAP-20230420-0004. Ubuntu users should install the latest linux-image package for their release. NetApp HCI customers should consult the vendor advisory for firmware updates to H-series storage nodes.

Workarounds

  • Set kernel.unprivileged_userns_clone=0 via sysctl to prevent unprivileged users from creating user namespaces required for the exploit
  • Mount user-writable filesystems with the nosuid option to limit setuid execution surface
  • Restrict shell access on shared systems and enforce least-privilege account policies until patches are deployed
  • For container hosts, ensure container runtimes drop CAP_SYS_ADMIN and use seccomp profiles that block mount syscalls
bash
# Disable unprivileged user namespaces as a mitigation
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-cve-2023-0386.conf

# Verify current kernel version against patched releases
uname -r

# Confirm overlay mount restrictions on multi-user hosts
mount | grep overlay

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.