cbcvebase.
CVE-2023-32629
published 2023-07-26

CVE-2023-32629: Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu…

PriorityP178high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.89%
94.6th percentile
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
debianlinux
linuxlinux_kernel>= 0 < 5.4.0-155.1725.4.0-155.172
linuxlinux_kernel>= 0 < 4.4.0-243.2774.4.0-243.277
linuxlinux_kernel>= 0 < 5.4.0-155.1725.4.0-155.172
linuxlinux_kernel>= 0 < 5.15.0-78.855.15.0-78.85
ubuntulinux
ubuntulinux-aws
ubuntulinux-aws-5.15
ubuntulinux-aws-fips
ubuntulinux-azure
ubuntulinux-azure-5.15
ubuntulinux-azure-fips
ubuntulinux-fips
ubuntulinux-gcp
ubuntulinux-gcp-5.15
ubuntulinux-gcp-fips
ubuntulinux-gke
ubuntulinux-gkeop
ubuntulinux-hwe-5.15
ubuntulinux-ibm
ubuntulinux-ibm-5.15
ubuntulinux-intel-iot-realtime
ubuntulinux-intel-iotg
ubuntulinux-intel-iotg-5.15

Detection & IOCsextracted from sources · hover to see the quote

commandunshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
urlhttps://github.com/g1vi/CVE-2023-2640-CVE-2023-32629
  • Detect use of 'unshare' with overlay mount combined with 'setcap cap_setuid+eip' on a copied binary — this is the canonical one-liner exploit pattern for CVE-2023-32629/CVE-2023-2640 (GameOverlay).
  • Monitor for creation of SUID bash binaries in world-writable directories such as /var/tmp/bash (chmod 4755), which is a common post-exploitation persistence step after GameOverlay privilege escalation.
  • Alert on overlay filesystem mounts (mount -t overlay) initiated by non-root users inside user namespaces (unshare -rm), especially when combined with extended attribute manipulation — core mechanism of CVE-2023-32629.
  • A public one-line exploit for CVE-2023-2640 was disclosed via Twitter on July 28, 2023 (one day after public disclosure), indicating rapid weaponization — treat any unshare+overlay+setcap combination on Ubuntu as high-confidence exploitation attempt.
  • ·CVE-2023-32629 affects Ubuntu-specific kernels only — the OverlayFS permission-check bypass via ovl_copy_up_meta_inode_data/ovl_do_setxattr is an Ubuntu kernel patch introduced vulnerability, not present in upstream Linux kernels.
  • ·The vulnerability affects not only bare-metal/VM Ubuntu hosts but also any containers (Docker and Kubernetes) running on vulnerable Ubuntu host kernels — container workloads share the host kernel and are equally exposed.
  • ·Exploitation requires the ability to create user namespaces (unshare -rm) — environments that restrict unprivileged user namespace creation (e.g., via sysctl kernel.unprivileged_userns_clone=0) may mitigate this attack vector.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.