CVE-2023-0386

What is Linux OverlayFS?

OverlayFS is a Linux kernel filesystem that stacks a "upper" writable directory on top of a "lower" read-only directory — the result appears as a merged filesystem where writes go to the upper layer and reads fall through to the lower layer if the file isn't in upper. OverlayFS is widely used: container runtimes (Docker, Podman, containerd), package managers, and OS live systems all use it. FUSE (Filesystem in Userspace) allows ordinary users to implement custom filesystems in user space. The interaction between OverlayFS and FUSE filesystems — specifically around how the kernel handles file ownership and setuid bits when copying files between layers — was the root cause of CVE-2023-0386.

Overview

CVE-2023-0386 is an improper ownership management vulnerability (CWE-282) in the Linux kernel's OverlayFS subsystem that allows a local user with standard privileges to escalate to root. The bug arises when a user copies a setuid-capable file from a FUSE-mounted nosuid filesystem into an OverlayFS upper layer: the kernel fails to properly strip the setuid bit and file capabilities in this specific code path, allowing the user to execute the copied file with elevated privileges. The fix was merged into the kernel mainline in early 2023; CISA added it to the KEV catalog over two years later in June 2025, confirming ongoing exploitation of Linux systems that haven't received the patch.

Affected Versions

Technical Details

The vulnerability exploits a gap in how the Linux kernel enforces nosuid mount restrictions when OverlayFS layers are involved:

1. Setup: An attacker creates a FUSE filesystem mounted with the nosuid flag, and places a file in it that has the setuid bit set with file capabilities (e.g., cap_setuid=eip). On a nosuid mount, executing this file should not honor the setuid bit.
2. OverlayFS copy: The attacker mounts an OverlayFS with the FUSE filesystem as the lower layer and a writable directory as the upper layer. When OverlayFS copies a file from the lower layer to the upper layer (a "copy-up" operation), the kernel code path that performs this copy fails to properly strip setuid bits and capabilities from the copied file.
3. Exploitation: The resulting file in the OverlayFS upper layer has the setuid bit and capabilities intact, but is now on a filesystem that doesn't have the nosuid restriction. Executing this file grants the attacker elevated privileges — root or specific capabilities sufficient to escalate further.

The exploit is reliable (AC:L) because it doesn't depend on timing or race conditions — the copy-up path consistently fails to strip the privileges.

Discovery

The vulnerability was discovered by researchers investigating the interaction between OverlayFS copy-up operations and user-namespace filesystems. A public proof-of-concept exploit was published after the kernel patch, and the vulnerability was quickly demonstrated to be reliably exploitable on affected kernel versions with standard user privileges. Many enterprise Linux systems running kernels in the 5.11–6.1 range without vendor backports remained exposed for extended periods.

Exploitation Context

Linux local privilege escalation vulnerabilities are used both by attackers who already have low-privileged code execution on a target (via a web shell, compromised service account, or container escape) and in container security contexts where container-hosted user namespaces might be exposed. The two-year delay between disclosure (March 2023) and CISA KEV addition (June 2025) reflects the persistence of unpatched Linux systems in production environments — particularly enterprise servers and cloud workloads that lag on kernel updates. Cloud environments that allow user-namespace and FUSE operations are specifically at risk if containers or tenants can exercise this code path.

Remediation

1. Update the Linux kernel — apply the vendor-provided security kernel update for your distribution (RHEL, Ubuntu, Debian, SUSE, etc.); the fix was included in patches issued in early-to-mid 2023 for major distributions.
2. Verify the patch is applied — check your running kernel version against your vendor's security advisory to confirm the fix is in place.
3. Restrict unprivileged user namespaces if the patch cannot be applied immediately:
   • On Ubuntu: sudo sysctl -w kernel.unprivileged_userns_clone=0
   • On RHEL/CentOS: sudo sysctl -w user.max_user_namespaces=0
   • These mitigations may break some container and sandbox functionality.
4. Restrict FUSE mounts for unprivileged users — limit which users can mount FUSE filesystems by removing the fuse group membership or using AppArmor/SELinux policies.
5. Apply container runtime updates — container runtimes that use OverlayFS should be updated to versions that include mitigations even if the host kernel has not been patched.