cbcvebase.
CVE-2023-0386
published 2023-03-22

CVE-2023-0386: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS…

PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-08
Exploited in the wild
EPSS
7.88%
94.0th percentile
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

Affected

24 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlinux< linux 6.1.11-1 (bookworm)linux 6.1.11-1 (bookworm)
linuxlinux_kernel
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.179-15.10.179-1
linuxlinux_kernel>= 0 < 6.1.11-16.1.11-1
linuxlinux_kernel>= 0 < 6.1.11-16.1.11-1
linuxlinux_kernel>= 0 < 6.1.11-16.1.11-1
linuxlinux_kernel>= 0 < 5.15.0-70.775.15.0-70.77
linuxlinux_kernel>= 0 < 5.4.0-150.1675.4.0-150.167
linuxlinux_kernel>= 0 < 5.15.0-73.805.15.0-73.80
linuxlinux_kernel>= 5.11 < 5.15.915.15.91
linuxlinux_kernel>= 5.16 < 6.1.96.1.9
msrccbl2_kernel_5.15.107.1-2_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_hyperv-daemons_5.10.188.1-1_on_cbl_mariner_1.0
msrccm1_kernel_5.10.185.1-1_on_cbl_mariner_1.0
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a
pathmodules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb
  • Monitor for OverlayFS (overlay module) mount operations performed by low-privileged users, particularly copying setuid/capable files from nosuid mounts into other mounts — this is the core exploitation primitive for CVE-2023-0386.
  • Alert on unexpected loading of the 'overlay' kernel module by non-root users; blacklisting the overlay module is the recommended mitigation and its unexpected presence/load should be treated as suspicious.
  • CVE-2023-0386 is trivially exploitable on Linux kernels below version 6.2; prioritize detection on hosts running kernel < 6.2 across Debian, Red Hat, Ubuntu, and Amazon Linux distributions.
  • A public Metasploit module exists for this CVE (linux/local/cve_2023_0386_overlayfs_priv_esc); detect execution of binaries or scripts matching this module's artifacts on monitored Linux endpoints.
  • On Red Hat systems, note that only RHEL 8.6 and later are affected; focus detection and patching efforts on those versions and above.
  • ·CISA has confirmed active exploitation in the wild; this is not merely a theoretical vulnerability — treat any unpatched Linux host with kernel < 6.2 as at-risk.
  • ·Red Hat Enterprise Linux 6 and 7 (including kernel-rt) are NOT affected; only RHEL 8.6+ introduced the vulnerable code path.
  • ·Debian fixed versions are: bookworm/sid/trixie/forky fixed in 6.1.11-1; bullseye fixed in 5.10.179-1. Systems on earlier package versions remain vulnerable.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.