Linux Kernel OverlayFS Flaw (CVE-2023-0386) Actively Exploited for Root Privilege Escalation
Do Son 
The United States Cybersecurity and Infrastructure Security Agency (CISA) has formally added a critical flaw in the Linux kernel—CVE-2023-0386—to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, despite having been patched in early 2023, has seen a surge in real-world exploitation in recent months.
The flaw lies within the OverlayFS subsystem—a mechanism used to merge multiple file system layers, widely adopted in containerized environments and live distributions. The vulnerability is triggered when executable files with elevated privileges are transferred between mounted volumes. The system fails to verify whether the user belongs to the correct namespace, thereby enabling unauthorized privilege escalation.
According to a report by Datadog published in May 2023, exploiting this vulnerability is remarkably straightforward. An attacker can craft a file marked with the SUID flag in a directory such as /tmp, effectively gaining root-level privileges. This simplicity makes the flaw especially enticing for widespread abuse via automated exploitation tools.
Although developers responded swiftly with a fix, CISA recorded continued exploitation of this bug by malicious actors well into 2024. While the exact tactics remain undisclosed, its inclusion in the KEV catalog unmistakably signals active exploitation in the wild.
The flaw undermines a foundational security feature of Linux—namespaces, which are intended to isolate user privileges and process domains. Due to faulty implementation in the handling of layered file systems, attackers can migrate executables between layers and run them with administrative rights. This poses grave risks in multi-user environments and containerized architectures.
Further compounding the threat, researchers at Wiz identified two adjacent vulnerabilities—CVE-2023-32629 and CVE-2023-2640—collectively dubbed GameOver(lay). These flaws also exploit OverlayFS logic failures, enabling the creation of executables that run with system-level privileges, echoing the risk profile of CVE-2023-0386.
Given the escalating threat, CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies to apply the relevant patches by July 8, 2025. This directive aims to curb the potential for attacks and bolster the resilience of government IT infrastructure against privilege escalation techniques.
However, the danger extends far beyond government systems. Any Linux-based infrastructure utilizing the vulnerable OverlayFS implementation remains exposed—particularly public-facing servers, cloud environments, and CI/CD pipelines that rely heavily on robust isolation mechanisms.
Even with security frameworks like AppArmor or SELinux in place, the exploit can circumvent protections if the kernel is outdated. The attack’s autonomous nature—requiring no external libraries and leveraging existing system tools—further amplifies the risk.
True cybersecurity transcends firewalls and antivirus software; it demands rigorous version control of system components and meticulous audits of SUID file permissions, especially in open and distributed ecosystems.
Donate