CVE-2023-0386
published 2023-03-22CVE-2023-0386: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS…
PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-08
Exploited in the wild
EPSS
7.88%
94.0th percentile
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.11-1 (bookworm) | linux 6.1.11-1 (bookworm) |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.179-1 | 5.10.179-1 |
| linux | linux_kernel | >= 0 < 6.1.11-1 | 6.1.11-1 |
| linux | linux_kernel | >= 0 < 6.1.11-1 | 6.1.11-1 |
| linux | linux_kernel | >= 0 < 6.1.11-1 | 6.1.11-1 |
| linux | linux_kernel | >= 0 < 5.15.0-70.77 | 5.15.0-70.77 |
| linux | linux_kernel | >= 0 < 5.4.0-150.167 | 5.4.0-150.167 |
| linux | linux_kernel | >= 0 < 5.15.0-73.80 | 5.15.0-73.80 |
| linux | linux_kernel | >= 5.11 < 5.15.91 | 5.15.91 |
| linux | linux_kernel | >= 5.16 < 6.1.9 | 6.1.9 |
| msrc | cbl2_kernel_5.15.107.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_hyperv-daemons_5.10.188.1-1_on_cbl_mariner_1.0 | — | — |
| msrc | cm1_kernel_5.10.185.1-1_on_cbl_mariner_1.0 | — | — |
| paloalto | pan-os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for OverlayFS (overlay module) mount operations performed by low-privileged users, particularly copying setuid/capable files from nosuid mounts into other mounts — this is the core exploitation primitive for CVE-2023-0386. ↗
- →Alert on unexpected loading of the 'overlay' kernel module by non-root users; blacklisting the overlay module is the recommended mitigation and its unexpected presence/load should be treated as suspicious. ↗
- →CVE-2023-0386 is trivially exploitable on Linux kernels below version 6.2; prioritize detection on hosts running kernel < 6.2 across Debian, Red Hat, Ubuntu, and Amazon Linux distributions. ↗
- →A public Metasploit module exists for this CVE (linux/local/cve_2023_0386_overlayfs_priv_esc); detect execution of binaries or scripts matching this module's artifacts on monitored Linux endpoints. ↗
- →On Red Hat systems, note that only RHEL 8.6 and later are affected; focus detection and patching efforts on those versions and above. ↗
- ·CISA has confirmed active exploitation in the wild; this is not merely a theoretical vulnerability — treat any unpatched Linux host with kernel < 6.2 as at-risk. ↗
- ·Red Hat Enterprise Linux 6 and 7 (including kernel-rt) are NOT affected; only RHEL 8.6+ introduced the vulnerable code path. ↗
- ·Debian fixed versions are: bookworm/sid/trixie/forky fixed in 6.1.11-1; bullseye fixed in 5.10.179-1. Systems on earlier package versions remain vulnerable. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Linux Kernel Improper Ownership Management Vulnerability
cisa·2025-06-17·CVSS 7.8
CVE-2023-0386 [HIGH] CWE-282 Linux Kernel Improper Ownership Management Vulnerability
Vulnerability: Linux Kernel Improper Ownership Management Vulnerability
Affected: Linux Kernel
Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, pleas
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Ubuntu
Kernel Live Patch Security Notice
vendor_ubuntu·2023-06-21·CVSS 7.8
CVE-2023-32233 [HIGH] Kernel Live Patch Security Notice
Title: Kernel Live Patch Security Notice
Summary: Several security issues were fixed in the kernel.
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges.(CVE-2023-0386)
It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform data buffer size validation in some
situations. A physically proximate attacker could use this to craft a
malicious USB device that when inserted, could cause a denial of service
(system crash) or possibly expose sensitive information.(CVE-2023-1380)
It was discovered that a race condition existed in the io_uring subsystem
in the Linux kernel, leading to a use-after-fre
Ubuntu
Linux kernel (Intel IoTG) vulnerabilities
vendor_ubuntu·2023-06-01·CVSS 4.7
CVE-2023-1075 [MEDIUM] Linux kernel (Intel IoTG) vulnerabilities
Title: Linux kernel (Intel IoTG) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kern
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2023-05-10·CVSS 7.8
CVE-2023-1859 [HIGH] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operatio
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2023-05-10·CVSS 7.0
CVE-2023-1859 [HIGH] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operatio
Ubuntu
Linux kernel (Intel IoTG) vulnerabilities
vendor_ubuntu·2023-05-05·CVSS 5.5
CVE-2022-4842 [MEDIUM] Linux kernel (Intel IoTG) vulnerabilities
Title: Linux kernel (Intel IoTG) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2023-04-26·CVSS 7.8
CVE-2023-0386 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: D
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2023-04-25·CVSS 5.5
CVE-2022-4129 [MEDIUM] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service (syste
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2023-04-19·CVSS 5.5
CVE-2022-4842 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service (system
cras
Microsoft
A flaw was found in the Linux kernel where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable
vendor_msrc·2023-03-14·CVSS 7.8
CVE-2023-0386 [HIGH] CWE-282 A flaw was found in the Linux kernel where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable
A flaw was found in the Linux kernel where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF
Red Hat
kernel: FUSE filesystem low-privileged user privileges escalation
vendor_redhat·2023-01-24·CVSS 7.8
CVE-2023-0386 [HIGH] CWE-282 kernel: FUSE filesystem low-privileged user privileges escalation
kernel: FUSE filesystem low-privileged user privileges escalation
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Statement: This vulnerability was first introduced into Red Hat Enter
Debian
CVE-2023-0386: linux - A flaw was found in the Linux kernel, where unauthorized access to the execution...
vendor_debian·2023·CVSS 7.8
CVE-2023-0386 [HIGH] CVE-2023-0386: linux - A flaw was found in the Linux kernel, where unauthorized access to the execution...
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Scope: local
bookworm: resolved (fixed in 6.1.11-1)
bullseye: resolved (fixed in 5.10.179-1)
forky: resolved (fixed in 6.1.11-1)
sid: resolved (fixed in 6.1.11-1)
trixie: resolved (fixed in 6.1.11-1)
GHSA
GHSA-p72q-v88c-rprq: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s
ghsa_unreviewed·2023-07-06
CVE-2023-0386 [HIGH] CWE-282 GHSA-p72q-v88c-rprq: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
OSV
Kernel Live Patch Security Notice
osv·2023-06-21·CVSS 7.8
CVE-2023-0386 [HIGH] Kernel Live Patch Security Notice
Kernel Live Patch Security Notice
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges.(CVE-2023-0386)
It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform data buffer size validation in some
situations. A physically proximate attacker could use this to craft a
malicious USB device that when inserted, could cause a denial of service
(system crash) or possibly expose sensitive information.(CVE-2023-1380)
It was discovered that a race condition existed in the io_uring subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial
OSV
linux-intel-iotg-5.15 vulnerabilities
osv·2023-06-01·CVSS 4.7
CVE-2023-1829 [MEDIUM] linux-intel-iotg-5.15 vulnerabilities
linux-intel-iotg-5.15 vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local atta
OSV
linux-oem-5.17 vulnerabilities
osv·2023-05-10·CVSS 7.0
CVE-2023-1829 [HIGH] linux-oem-5.17 vulnerabilities
linux-oem-5.17 vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevat
OSV
linux-oem-6.0 vulnerabilities
osv·2023-05-10·CVSS 7.8
CVE-2023-1829 [HIGH] linux-oem-6.0 vulnerabilities
linux-oem-6.0 vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
Lin Ma discovered a race condition in the io_uring subsystem in the Linux
kernel, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-0468)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevate
OSV
linux-intel-iotg vulnerabilities
osv·2023-05-05·CVSS 5.5
CVE-2023-1281 [MEDIUM] linux-intel-iotg vulnerabilities
linux-intel-iotg vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-4129)
It was discovered that the network queuing disci
OSV
linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
osv·2023-04-26·CVSS 7.8
CVE-2023-1829 [HIGH] linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
OSV
linux-hwe-5.15 vulnerabilities
osv·2023-04-25·CVSS 5.5
CVE-2023-1281 [MEDIUM] linux-hwe-5.15 vulnerabilities
linux-hwe-5.15 vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-4129)
It was discovered that the network queuing discipl
OSV
linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowla
osv·2023-04-19·CVSS 5.5
[MEDIUM] linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowla
linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi vulnerabilities
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race co
OSV
CVE-2023-0386: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s
osv·2023-03-22·CVSS 7.8
CVE-2023-0386 [HIGH] CVE-2023-0386: A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
VulnCheck
Linux Kernel Improper Ownership Management Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-0386 [HIGH] CWE-282 Linux Kernel Improper Ownership Management Vulnerability
Linux Kernel Improper Ownership Management Vulnerability
Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Affected: Linux Kernel
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-int
No detection rules found.
Bugzilla
CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation
bugzilla·2023-01-09·CVSS 7.8
CVE-2023-0386 [HIGH] CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation
CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation
An attacker with a low-privileged user on a Linux machine with an overlay mount which has a file capability in one of its layers may escalate his privileges up to root when copying a capable file from a nosuid mount into another mount. This vulnerability is similar to the CVE-2021-3847, but requires less permissions to run, so higher priority. The steps to reproduce:
1. Mount a FUSE filesystem that exposes a root owned setuid/setgid binary that is world writable.
2. unshare user/mount namespaces
3. mount an overlay with the FUSE fs as the lower dir, and a user writable upper dir (as usual). Make sure that the upper dir is on a filesystem that is not mounted with `nosuid`.
4. touch the file at the merged path
Bleepingcomputer
CISA warns of attackers exploiting Linux flaw with PoC exploit
blogs_bleepingcomputer·2025-06-18·CVSS 7.8
CVE-2023-0386 [HIGH] CISA warns of attackers exploiting Linux flaw with PoC exploit
## CISA warns of attackers exploiting Linux flaw with PoC exploit
## Sergiu Gatlan
According to an analysis by Datadog Security Labs, CVE-2023-0386 is trivial to exploit and impacts a wide range of Linux distributions, including popular ones like Debian, Red Hat, Ubuntu, and Amazon Linux, if they're using a kernel version lower than 6.2.
"Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount," CISA explains . "This uid mapping bug allows a local user to escalate their privileges on the system."
As mandated by the November 2021 Binding Operational Directive (BOD) 22-
Wiz
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
blogs_wiz·2023-07-27·CVSS 7.8
CVE-2023-2640 [HIGH] GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit. This makes the new discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.
The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in
Wiz
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
blogs_wiz·2023-07-27·CVSS 7.8
CVE-2023-2640 [HIGH] GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit. This makes the new discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.
The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.htmlhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0ahttps://lists.debian.org/debian-lts-announce/2023/06/msg00008.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00020.htmlhttps://security.netapp.com/advisory/ntap-20230420-0004/https://www.debian.org/security/2023/dsa-5402http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.htmlhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0ahttps://lists.debian.org/debian-lts-announce/2023/06/msg00008.htmlhttps://lists.debian.org/debian-lts-announce/2024/06/msg00020.htmlhttps://security.netapp.com/advisory/ntap-20230420-0004/https://www.debian.org/security/2023/dsa-5402https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386
2023-03-22
Published
2025-06-17
Added to CISA KEV
Exploited in the wild