CISA warns US federal agencies about attackers targeting a serious security flaw in the OverlayFS submodule of the Linux kernel. This vulnerability allows attackers to gain root privileges.
This was reported by BleepingComputer. The local privilege escalation vulnerability (CVE-2023-0386) arises from an error in the management of ownership rights in the Linux kernel. The issue was fixed in January 2023 and disclosed two months later.
Starting in May 2023, multiple proof-of-concept exploits appeared on GitHub. This makes it easier to exploit the vulnerability. As a result, it became a top priority for Linux administrators to patch their systems.
According to an analysis by Datadog Security Labs, CVE-2023-0386 is easy to exploit. It affects widely used Linux distributions such as Debian, Red Hat, Ubuntu, and Amazon Linux. These must be running on a kernel version lower than 6.2.
Error in property rights management
CISA explains that the Linux kernel contains an error in managing property rights. This allows a user to copy an executable file with additional rights from a nosuid mount to another mount within the OverlayFS submodule without permission. This error in the uid mapping allows a local user to elevate their privileges on the system.
Under the Binding Operational Directive (BOD) 22-01 of November 2021, US federal agencies are required to protect their networks from ongoing attacks that exploit this vulnerability.
CISA is giving agencies within the Federal Civilian Executive Branch (FCEB) three weeks to patch their Linux systems. The organization reported that malicious cyber actors often use these types of vulnerabilities as a means of attack. The vulnerabilities pose a significant risk to federal infrastructure.
On Tuesday, researchers from the Qualys Threat Research Unit (TRU) also warned that threat actors could use two recently patched local privilege escalation vulnerabilities to gain root access on systems running on major Linux distributions.
Qualys TRU developed proof-of-concept exploits. The company successfully used CVE-2025-6019 to gain root privileges on systems running Debian, Ubuntu, Fedora, and openSUSE.