CVE-2021-3493

Ubuntu Linux Kernel — overlayfs File Capabilities Bypass in User Namespaces for Local Privilege Escalation
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on October 20, 2022 with a remediation deadline of November 10, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2021-3493 is a local privilege escalation vulnerability in Ubuntu's Linux kernel builds arising from the interaction between overlayfs and user namespaces. When a user namespace is created, the overlayfs filesystem fails to properly validate whether file capabilities (POSIX xattr security attributes) being applied to files are legitimate within that namespace. An unprivileged user can exploit this to set file capabilities on a binary that are effective in the host namespace, allowing execution with elevated host privileges.

This vulnerability is Ubuntu-specific: it exists because Ubuntu carries downstream kernel patches enabling overlayfs to be mounted inside user namespaces — a feature not present in the upstream Linux kernel at the time of disclosure. The upstream kernel's overlayfs explicitly requires CAP_SYS_ADMIN in the initial user namespace to mount, preventing this attack path. The CVSS Scope: Changed (8.8) reflects that exploitation escapes the user namespace boundary, impacting the host beyond the attacker's security scope.

What Is the Linux Kernel?

The Linux kernel is the foundational software layer between hardware and user-space programs. Overlayfs is a union filesystem layer that allows one directory tree to be transparently overlaid on another — widely used in container runtimes (Docker, LXC, Podman) to provide copy-on-write layered filesystems. File capabilities are POSIX extended attributes (security.capability xattrs) that grant specific Linux capabilities to a binary when executed, analogous to setuid but more granular.

Affected Versions

This vulnerability affects Ubuntu kernel packages specifically. The upstream Linux kernel is not affected because upstream overlayfs does not allow unprivileged mounts inside user namespaces.

Ubuntu Release Vulnerable Kernel Fixed Kernel
Ubuntu 20.10 (Groovy) 5.8.0 – 5.8.0-49 5.8.0-50.56
Ubuntu 20.04 LTS (Focal) 5.4.0 – 5.4.0-70 5.4.0-71.79
Ubuntu 18.04 LTS (Bionic) 4.15.0 – 4.15.0-139 4.15.0-140.144
Ubuntu 16.04 LTS (Xenial) 4.4.0 – 4.4.0-209 4.4.0-210.242
Ubuntu 14.04 LTS (Trusty ESM) 4.4.0 – 4.4.0-209 4.4.0-210.242

Non-Ubuntu distributions using unmodified upstream kernels are not affected.

Technical Details

Root Cause: File Capabilities Not Validated Against Namespace Boundary

Linux user namespaces allow unprivileged processes to operate within an isolated privilege context — inside the namespace, a process can appear as root with a full capability set, while remaining unprivileged from the host's perspective. Critically, capabilities exercised inside a user namespace must remain scoped to that namespace.

Ubuntu's kernel patches allow overlayfs to be mounted inside user namespaces without CAP_SYS_ADMIN in the initial user namespace. When a file is created or copied within this overlayfs mount and a security.capability xattr is set on that file, the Ubuntu kernel's overlayfs code fails to check whether the caller has the right to grant those capabilities in the context of the initial (host) user namespace — not merely in its own namespace. As a result, a capability xattr set by an unprivileged user inside a user namespace is stored and honored as if it were set by a privileged host process.

When the binary with the crafted capability xattr is executed outside the user namespace (i.e., by the host system), the kernel reads the capability xattr and grants the requested capabilities — such as CAP_SETUID or CAP_DAC_OVERRIDE — without verifying that the entity that set them had the right to do so.

Exploitation: Step by Step

  1. Create a user namespace with unshare(CLONE_NEWNS | CLONE_NEWUSER). The calling process gains CAP_SYS_ADMIN scoped to the new namespace.
  2. Mount an overlayfs filesystem within the namespace, overlaying a writable upper directory on top of a readable lower directory (e.g., containing /bin/bash).
  3. Copy a target executable (e.g., /bin/bash) into the overlayfs upper layer, triggering a copy-on-write into the writable upper directory.
  4. Set a security.capability xattr on the copied binary inside the namespace — for example, granting CAP_SETUID. The Ubuntu kernel does not validate that this capability grant is authorized in the host namespace context.
  5. Exit the user namespace. The modified binary now exists in the upper overlay layer with an xattr granting host-level capabilities.
  6. Execute the modified binary from the host context. The kernel reads security.capability and grants the capability — allowing the unprivileged user to, for example, call setuid(0) and obtain a root shell.

Attack Characteristics

Attribute Detail
Attack Vector Local — requires an existing user session
Privileges Required Low — any unprivileged user account
User Namespace Required Yes — attack depends on user namespace creation
Ubuntu-Specific Yes — requires Ubuntu's overlayfs user namespace patches
Scope Changed Yes — escapes user namespace to gain host privileges (CVSS Scope: Changed)
Container Impact Yes — exploitable from within unprivileged containers on Ubuntu hosts

Discovery

The vulnerability was disclosed publicly on April 15, 2021, coinciding with Ubuntu's kernel security advisories. A working proof-of-concept exploit was available at the time of disclosure — notably, from multiple researchers, indicating the attack was straightforward to develop once the underlying behavior was understood. The fix (commit 7c03e2cda4a5) adds a privilege check in the overlayfs capability-copy path that validates the capability xattr against the initial user namespace before honoring it.

Exploitation Context

The immediate availability of a simple, reliable public PoC at the time of disclosure made this vulnerability broadly accessible.

  • PoC: Widely available on GitHub (e.g., github.com/briskets/CVE-2021-3493); typically ~50 lines of C
  • Ubuntu scope: Affects all actively supported Ubuntu LTS releases at time of disclosure (14.04 ESM through 20.10)
  • Container exposure: Ubuntu-based containers running on Ubuntu hosts are exploitable — an attacker who escapes to an unprivileged host shell can use this to reach root
  • Detection: The exploit uses only standard syscalls (unshare, mount, setxattr, execve) that are difficult to distinguish from legitimate container operations

CISA added CVE-2021-3493 to the KEV catalog on October 20, 2022 — 18 months after disclosure — confirming continued active exploitation.

Remediation

CISA BOD 22-01 Deadline: November 10, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Immediate Mitigation: Disable Unprivileged User Namespaces

On Ubuntu, disable unprivileged user namespace creation if not required:

sysctl -w kernel.unprivileged_userns_clone=0
echo "kernel.unprivileged_userns_clone = 0" >> /etc/sysctl.d/99-hardening.conf

This removes the ability for unprivileged users to create user namespaces, blocking the attack path entirely. Note that this will break rootless containers (Podman, Docker rootless mode, LXC unprivileged containers). On non-Ubuntu distributions, the equivalent upstream sysctl is user.max_user_namespaces = 0.

Recommended Actions

  1. Apply Ubuntu kernel security updates via apt-get update && apt-get dist-upgrade. Fixed kernels (USN-4917-1 / USN-4918-1) were released April 15, 2021. Verify with uname -r.

  2. Apply the unprivileged user namespace sysctl above as an immediate mitigation before the kernel update can be applied.

  3. Ubuntu-based container hosts: Any Ubuntu host running containers is exposed — both host shells and container workloads can exploit this. Prioritize kernel updates on container hosts.

  4. Non-Ubuntu systems: Verify your kernel is not carrying similar downstream overlayfs patches. Most non-Ubuntu distributions using the upstream kernel are not affected.

  5. Harden the kernel baseline: User namespace restrictions are one layer of a broader KSPP hardening baseline. See Hardening the Linux Kernel: Defense in Depth Against Privilege Escalation for the full set of controls — including user.max_user_namespaces = 0 — that systematically reduce the attack surface available to this class of vulnerability.

Key Details

PropertyValue
CVE ID CVE-2021-3493
Vendor / Product Linux — Kernel
NVD Published2021-04-17
NVD Last Modified2025-10-28
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SeverityHIGH
CWE CWE-270 — Privilege Context Switching Error
CISA KEV Added2022-10-20
CISA KEV Deadline2022-11-10
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-11-10. Apply updates per vendor instructions. Ubuntu kernel security updates are available for all affected LTS releases. As an interim mitigation on Ubuntu, set kernel.unprivileged_userns_clone=0 if user namespaces are not required.

Timeline

DateEvent
2021-04-15Ubuntu kernel security patches released (USN-4917-1, USN-4918-1); public disclosure
2021-04-17CVE-2021-3493 published
2022-10-20Added to CISA Known Exploited Vulnerabilities catalog
2022-11-10CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2021-3493 Vulnerability Database
CISA KEV Catalog Entry US Government
Linux Kernel Fix Commit 7c03e2cd — ovl: check privilege against work dir in new fs Patch / Source Code
Ubuntu Security — CVE-2021-3493 Vendor Advisory
CVE-2021-3493 PoC — briskets Security Research
CWE-270 — Privilege Context Switching Error Weakness Classification

Last updated: 2026-05-01

Gavin Hollinger & AI assembled this air-gap friendly HTML