Actively Exploited Linux Kernel Vulnerability Added to CISA KEV Catalog

Rahul GargRahul Garg
2 min read

Table of contents

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a significant Linux kernel vulnerability, CVE-2023-0386, to its Known Exploited Vulnerabilities (KEV) list, confirming that the flaw is being actively used in real-world attacks.

What is CVE-2023-0386?

The vulnerability, rated 7.8 on the CVSS scale, stems from how the Linux kernel handles file ownership when copying files via OverlayFS. Specifically, the bug occurs when a file is copied to the “upper” directory without verifying whether the file’s user or group is valid in the current user namespace.

This oversight allows a local, unprivileged user to manipulate the process and essentially smuggle a SUID binary from a restricted “lower” directory to an upper directory with elevated privileges. If successful, this can lead to full local privilege escalation.

The flaw was patched in early 2023, but active exploitation in the wild has now been confirmed by CISA.

🧬 Technical Breakdown

As CISA describes it:

"Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system."

Security researchers from Datadog further demonstrated in mid-2023 how easily the bug could be exploited — by tricking the kernel into creating a SUID binary owned by root inside a writable directory like /tmp, allowing code execution with elevated permissions.

Not long after, cloud security firm Wiz uncovered similar flaws — CVE-2023-32629 and CVE-2023-2640, collectively referred to as GameOver(lay) — that impacted Ubuntu systems in much the same way. These vulnerabilities also allowed attackers to craft malicious executables that elevate privileges when executed.

What You Need to Do

CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must apply patches addressing this vulnerability by July 8, 2025, to mitigate risks from ongoing exploitation attempts.

If you're running a Linux system that leverages OverlayFS — especially in containerized environments or multi-user setups — make sure to:

  • Apply the latest kernel security patches

  • Monitor /tmp, /var/tmp, or user-writable directories for SUID binaries

  • Restrict or audit use of OverlayFS where possible

Final Thoughts

CVE-2023-0386 serves as a reminder that seemingly minor logic errors in kernel subsystems can lead to major security consequences. As always, staying ahead with timely patching and threat awareness is crucial to hardening your systems.

0
Subscribe to my newsletter

Read articles from Rahul Garg directly inside your inbox. Subscribe to the newsletter, and don't miss out.

kernel exploitLinux#cybersecurityPrivilege Escalationoverlayfscisared team

Written by

Rahul Garg
Rahul Garg