Linux Kernel Flaw (CVE-2023-0386) Actively Exploited for Root Privilege Escalation, PoC Available
Do Son 
A dangerous Linux privilege escalation vulnerability, CVE-2023-0386, has officially entered the CISA Known Exploited Vulnerabilities (KEV) Catalog amid confirmed reports of active exploitation in the wild. The vulnerability affects the OverlayFS subsystem in the Linux kernel and allows local users to gain root privileges—a critical escalation path in any multi-user or containerized environment.
CVE-2023-0386 (CVSS 7.8) is rooted in the improper handling of file ownership and capabilities when user-controlled files are copied between mounts. Specifically, it results from a logic flaw where the kernel fails to clear setuid/setgid bits during the OverlayFS copy-up operation when crossing from a nosuid mount to another writable mount.
This bug can be weaponized in a matter of seconds, as demonstrated by a proof-of-concept (PoC) exploit developed by security researcher Xkaneiki. The PoC was tested on Ubuntu 22.04 and successfully elevated a non-privileged user to full root access.
Here’s how the exploit works in broad strokes:
- A FUSE filesystem is mounted with a setuid/setgid binary that’s writable by all users.
- The attacker uses user and mount namespaces to isolate operations.
- An OverlayFS mount is constructed with a writable upper directory and a lower layer referencing the FUSE mount.
- The malicious file is touched, triggering a copy-up.
- Due to the kernel’s flawed logic, the setuid bits are retained, allowing execution as root from the upper mount.
- Run the binary from the upper directory, and it will execute as root
Any system running vulnerable versions of the Linux kernel with OverlayFS enabled and namespace capabilities accessible to users—such as desktop Linux environments, containers, cloud VMs, or shared hosting setups—could be at risk.
The vulnerability is especially concerning in environments where unprivileged users can perform file operations or mount overlays—common in container runtimes or Linux sandboxing frameworks.
The Cybersecurity and Infrastructure Security Agency (CISA) has instructed all Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by July 8, 2025.
Related Posts:
- PoC Exploit Released for Linux Kernel Privilege Escalation (CVE-2023-0386) Bug
- CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog
- CVE-2023-0386: A New Linux Kernel Vulnerability Puts Systems at Risk
- Cybercriminals Target Singaporeans: Digital IDs Flood Dark Web
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
