← back
CVE-2023-0386

CVE-2023-0386

CVSS 7.8 HIGHEPSS 7.9%● KEVCWE-282
In short

A bug in Linux's OverlayFS allows a local user to run programs with elevated privileges by copying files with special permissions across different mount points. This can let an attacker gain admin-level access to the system.

Technical detail

A uid mapping vulnerability in OverlayFS permits a local attacker to copy setuid/capability-bearing files from nosuid mounts to other mounts, bypassing security restrictions. The attack requires local filesystem access and results in privilege escalation to root or other privileged accounts.

Summary generated and translated by AI from the official description.
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Kernel
public PoCs found17
githubgithub.com/xkaneiki/CVE-2023-0386420githubgithub.com/chenaotian/CVE-2023-0386124githubgithub.com/sxlmnwb/CVE-2023-038651githubgithub.com/Fanxiaoyao66/CVE-2023-038621githubgithub.com/puckiestyle/CVE-2023-038618githubgithub.com/veritas501/CVE-2023-038610githubgithub.com/P4x1s/CVE-2023-03864githubgithub.com/Satheesh575555/linux-4.19.72_CVE-2023-03864githubgithub.com/orilevy8/cve-2023-03861githubgithub.com/anxs3c/TwoMillion-Machine0githubgithub.com/letsr00t/CVE-2023-03860githubgithub.com/churamanib/CVE-2023-03860githubgithub.com/EstamelGG/CVE-2023-0386-libs0githubgithub.com/dragosbanica/CVE-2023-0386_POC0githubgithub.com/karimelsheikh1/HTB-TwoMillion-Writeup0githubgithub.com/julianertle/CVE-2023-0386-CTF0cve_referencepacketstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.htmlhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0ahttps://lists.debian.org/debian-lts-announce/2023/06/msg00008.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00020.htmlhttps://security.netapp.com/advisory/ntap-20230420-0004/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386https://www.debian.org/security/2023/dsa-5402