CVE-2023-0386 Overview
A privilege escalation vulnerability exists in the Linux kernel's OverlayFS subsystem due to improper handling of uid mapping when a user copies a capable file from a nosuid mount into another mount. This flaw allows unauthorized access to the execution of setuid files with capabilities, enabling a local attacker to escalate their privileges on the system.
Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Local attackers can leverage this flaw to gain root privileges on affected Linux systems.
Affected Products
- Linux Kernel (versions prior to fix, including 6.2 RC1-RC5)
- Canonical Ubuntu Linux 18.04 LTS, 20.04 LTS, 22.04 LTS
- Debian Linux 10.0
- NetApp H300S, H500S, H700S, H410S, H410C (and associated firmware)
Discovery Timeline
- 2023-03-22 - CVE-2023-0386 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-0386
Vulnerability Analysis
This vulnerability resides in the OverlayFS subsystem of the Linux kernel, which provides a union filesystem implementation that allows files and directories of separate filesystems to be transparently overlaid. The flaw specifically involves a uid mapping bug that occurs when a user copies a file with extended capabilities from a nosuid-mounted filesystem to another mount point.
Under normal circumstances, the nosuid mount option prevents the execution of setuid binaries, providing a security boundary. However, this vulnerability allows an attacker to bypass this protection by exploiting the improper uid/gid mapping during the file copy operation within OverlayFS. When a capable file is copied between mounts, the kernel fails to properly validate and drop the file capabilities, allowing the copied file to retain its elevated privileges despite originating from a nosuid mount.
Root Cause
The root cause is classified under CWE-282 (Improper Ownership Management). The Linux kernel's OverlayFS implementation fails to properly handle the uid mapping and capability inheritance when files are copied between different mount points. Specifically, the code path that handles file copies does not adequately verify that file capabilities should be stripped when the source filesystem is mounted with the nosuid option.
Attack Vector
The attack requires local access to the system with the ability to create OverlayFS mounts. An attacker can exploit this vulnerability by:
- Creating or identifying a file with setuid capabilities on a nosuid-mounted filesystem
- Setting up an OverlayFS mount configuration that overlays the nosuid mount with a writable mount
- Copying the capable file through the OverlayFS layer to the writable mount
- Executing the copied file, which retains its capabilities and can be used to escalate privileges to root
The exploitation requires low privileges (a standard user account) and no user interaction, making it highly exploitable in multi-user Linux environments such as shared hosting servers, containerized environments, and enterprise Linux workstations.
Detection Methods for CVE-2023-0386
Indicators of Compromise
- Unusual OverlayFS mount operations, especially those involving nosuid mounts
- Unexpected setuid/capability-enabled binaries appearing in user-writable directories
- Process execution anomalies where unprivileged users spawn processes with elevated capabilities
- Audit log entries showing capability-enabled file execution from non-standard locations
Detection Strategies
- Monitor for OverlayFS mount system calls (mount -t overlay) using kernel audit subsystem or eBPF-based tools
- Implement file integrity monitoring on critical system directories to detect new setuid/capability binaries
- Use SentinelOne's behavioral AI to detect privilege escalation attempts and anomalous process hierarchies
- Deploy kernel audit rules to track CAP_SETUID and CAP_SETGID capability usage patterns
Monitoring Recommendations
- Enable kernel auditing for mount operations: auditctl -w /etc/fstab -p wa -k mounts
- Configure SentinelOne endpoint agents to alert on suspicious OverlayFS activity and privilege transitions
- Monitor for processes running with unexpected capabilities using tools like getcap or SentinelOne's deep visibility features
- Review container runtime configurations for potential OverlayFS exploitation vectors
How to Mitigate CVE-2023-0386
Immediate Actions Required
- Apply kernel patches immediately on all affected Linux systems
- Restrict unprivileged user namespaces if not required: sysctl -w kernel.unprivileged_userns_clone=0
- Audit existing OverlayFS mounts and ensure proper nosuid enforcement
- Deploy SentinelOne agents to detect and prevent exploitation attempts
Patch Information
The vulnerability has been addressed in the upstream Linux kernel. The fix is available in commit 4f11ada10d0a in the Linux kernel source tree. Organizations should update to patched kernel versions as soon as possible:
- Linux Kernel: Apply commit 4f11ada10d0a
- Ubuntu: Apply updates per Kernel Live Patch Security Notice LSN-0095-1
- Debian: Apply patches from DSA-5402 and Debian LTS announcements
- NetApp: Review NetApp Security Advisory NTAP-20230420-0004
Workarounds
- Disable unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 in /etc/sysctl.conf
- Restrict access to mount system calls using seccomp profiles or AppArmor/SELinux policies
- Ensure all sensitive mounts use the nosuid,nodev,noexec mount options where applicable
- Limit OverlayFS usage to trusted administrative processes only
# Disable unprivileged user namespaces as a workaround
echo "kernel.unprivileged_userns_clone=0" >> /etc/sysctl.conf
sysctl -p
# Verify the setting is applied
sysctl kernel.unprivileged_userns_clone
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
