On June 18, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical Linux kernel vulnerability, CVE‑2023‑0386, to its Known Exploited Vulnerabilities (KEV) catalog.
This flaw, found in the OverlayFS subsystem, is currently being actively exploited in the wild and allows local privilege escalation to root. This is especially concerning given recent attacks such as the PumaBot SSH hijack botnet, which exploit similar attack vectors to gain unauthorized access.
Technical Overview
- CVE‑2023‑0386 has a CVSS score of 7.8 and affects the Linux kernel’s implementation of OverlayFS.
- The vulnerability stems from improper permission checks when copying files between different mount points in OverlayFS. Specifically, if a file with the setuid bit is copied, the kernel may not properly verify ownership (UID/GID), allowing an attacker to create a setuid root binary. Securing file access permissions, similar to restricting users to FTP access only, can help reduce attack surfaces.
- A local attacker can exploit this to gain root privileges on the affected system.
- The vulnerability was patched in 2023, but exploitation in the wild has only recently been observed and confirmed by CISA.
CISA Advisory and Deadline
Federal agencies under the Federal Civilian Executive Branch (FCEB) are required to patch all affected systems by July 8, 2025. CISA strongly urges organizations in the private sector to prioritize patching and include CVE‑2023‑0386 in their vulnerability management programs.
Broader Context
- CVE‑2023‑0386 is part of a larger set of vulnerabilities affecting OverlayFS. Others, such as CVE‑2023‑32629 and CVE‑2023‑2640, have similarly enabled privilege escalation on Ubuntu systems.
- Although these vulnerabilities require local access, they pose serious risks in shared or cloud environments where attackers might already have limited user accounts.
- Public proof-of-concept (PoC) code exists for similar vulnerabilities, increasing the risk of widespread abuse.
Recommended Actions
- Apply available patches to prevent root-level compromise from local users.
- Audit and monitor systems to detect signs of privilege escalation attempts.
- Harden OverlayFS usage by limiting exposure in container or shared setups.
Final Thoughts
Even though this vulnerability was discovered and fixed in 2023, the fact that it’s now actively exploited emphasizes the importance of timely patch management. Linux administrators, especially those managing cloud workloads or multi-user systems, should take this threat seriously and update as soon as possible.
Pingback: New udisks Vulnerability Allows Local Users to Gain Root on Major Linux Distributions - iDoLinux