🟢 CVE-2023-0386

CVE-2023-0386 is a local privilege escalation vulnerability in the Linux kernel's OverlayFS subsystem that allows a local user to escalate privileges by exploiting a uid mapping bug when copying capable files between mounts. This requires local access and cannot be exploited directly over the internet, making it a post-compromise escalation tool rather than an initial attack vector.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2023-03-22

Added to CISA KEV: 2025-06-17 818 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-0386 is a local privilege escalation vulnerability within the Linux kernel's OverlayFS subsystem [1] [6]. It has been confirmed as a vulnerability actively targeted by threat actors and is included in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog [2].

Exploitation and Attack Details
  • Attack Method: The vulnerability stems from improper handling of file ownership and capabilities during "copy-up" operations in the OverlayFS subsystem [1] [6]. Specifically, when a user copies a file with capabilities from a `nosuid` mount to another mount, the kernel fails to properly strip these capabilities, allowing them to be preserved incorrectly [1] [5].
  • Requirements: This is a local vulnerability, meaning an attacker must already have some level of access to the system to initiate the exploit [1] [4]. No specific user interaction is required beyond the attacker executing the exploit code locally.
  • Impact: Successful exploitation allows a local user to escalate their privileges, typically gaining root access to the affected system [2] [6].
  • PoC Availability: Multiple proof-of-concept (PoC) exploits were made publicly available on GitHub shortly after the vulnerability's disclosure in May 2023, which significantly lowered the barrier for exploitation [3] [4].
Affected Versions and Mitigation
  • Affected Versions: The vulnerability affects Linux kernel versions from 5.11 through 6.1.8 (excluding 5.15.91) [1].
  • Patch Status: The issue was patched in the Linux kernel in January 2023 [4]. Users are strongly advised to update their kernels to a version containing the fix to mitigate the risk of privilege escalation [3] [7].

Sources

  1. Linux kernel OverlayFS - Privilege Escalation Vulnerability - Armis

    CVE-2023-0386 is a local privilege escalation vulnerability in the Linux kernel OverlayFS subsystem affecting kernels 5.11 through 6.1.8. ... CVE-2023-0386 is a local privilege escalation vulnerability in the Linux kernel OverlayFS subsystem affecting kernels 5.11 through 6.1.8. (excluding 5.15.91).

  2. The OverlayFS vulnerability CVE-2023-0386: Overview, detection...

    emerging threats and vulnerabilities. The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediation.March 22, 2023: Vulnerability is publicly disclosed on the NIST NVD as CVE-2023-0386. May 4, 2023: Proof-of-concept (PoC) exploits appear on GitHub. The vulnerability, dubbed CVE-202…

  3. Issue 70: Linux Kernel Exploit, Chrome Zero-Day and...

    CISA has added CVE-2023-0386 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are actively targeting this OverlayFS-related privilege escalation flaw in the Linux kernel. With a CVSS score of 7.8, this vulnerability lets local users escalate privileges by exploiting im…

  4. CISA Issues Alert On Ongoing Exploitation of Linux Privilege...

    The vulnerability, tracked as CVE-2023-0386, with a CVSS score of 7.8 is a local privilege escalation issue stemming from improper ownership management in the Linux kernel. It was patched in January 2023 and publicly disclosed in March. In May 2023, multiple proof-of-concept (PoC) exploits surfaced…

  5. Improper Ownership Management - CVEs - page 1

    CVE-2023-47712 IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a local user to gain elevated privileges on the system due to improper permissions control. ... CVE-2023-0989 An information disclosure issue in GitLab CE/EE ... CVE-2023-0386 A flaw was found in the Linux kernel, where unau…

  6. CISA Warns of Active Exploitation of a Linux Kernel Vulnerability...

    Understanding CVE-2023-0386: The Crux of the Vulnerability. At its core, CVE-2023-0386 is a flaw in the Linux kernel’s OverlayFS subsystem—a feature commonly used to layer file systems in containerized environments and cloud deployments. The vulnerability arises from improper handling of file owners…

  7. CVE-2023-0386 - Exploits & Severity - Feedly

    The vulnerability CVE-2023-0386 in the Linux kernel's FUSE overlayfs allows for privilege escalation, with a CVSS score of 7.8. It has been exploited in the wild by threat actors, and proof-of-concept exploits are available. Mitigations include updating to patched versions of the kernel, with downst…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed