CISA Issues Alert on Ongoing Exploitation of Linux Kernel Privilege Escalation Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a significant security vulnerability affecting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in real-world scenarios.

The vulnerability, identified as CVE-2023-0386 with a CVSS score of 7.8, involves an improper ownership flaw within the Linux kernel that may allow privilege escalation on affected systems. This issue was addressed in early 2023.

According to CISA, the vulnerability pertains to improper management of ownership, where unauthorized access is granted to the execution of setuid files with capabilities found within the Linux kernel’s OverlayFS subsystem. Specifically, it occurs when a user copies a capable file from a nosuid mount to another mount.

“This uid mapping bug allows a local user to escalate their privileges on the system,” CISA noted.

Details regarding the exploitation method remain somewhat unclear. A report from Datadog published in May 2023 suggested that the vulnerability is relatively simple to exploit, involving a trick that leads the kernel to create a SUID binary owned by root in a directory such as “/tmp” and subsequently executing it.

Further investigation revealed that CVE-2023-0386 exploits a flaw wherein the kernel, when copying a file from the overlay file system to the ‘upper’ directory, fails to verify whether the user or group ownership of the file is correctly mapped in the current user namespace. This oversight enables an unprivileged user to transport an SUID binary from a ‘lower’ directory to the ‘upper’ directory using OverlayFS as an intermediary.

Additionally, later in the year, cloud security firm Wiz uncovered two additional vulnerabilities, referred to as GameOver(lay) (CVE-2023-32629 and CVE-2023-2640), concerning Unix systems that can result in consequences akin to those of CVE-2023-0386. Wiz researchers highlighted that these vulnerabilities allow for the creation of specially crafted executables that, when run, can escalate privileges to root on the compromised system.

Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the requisite patches by July 8, 2025, to safeguard their networks from these prevalent threats.