CVE-2023-32629
published 2023-07-26CVE-2023-32629: Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu…
PriorityP178high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.89%
94.6th percentile
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | linux | — | — |
| linux | linux_kernel | >= 0 < 5.4.0-155.172 | 5.4.0-155.172 |
| linux | linux_kernel | >= 0 < 4.4.0-243.277 | 4.4.0-243.277 |
| linux | linux_kernel | >= 0 < 5.4.0-155.172 | 5.4.0-155.172 |
| linux | linux_kernel | >= 0 < 5.15.0-78.85 | 5.15.0-78.85 |
| ubuntu | linux | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-5.15 | — | — |
| ubuntu | linux-aws-fips | — | — |
| ubuntu | linux-azure | — | — |
| ubuntu | linux-azure-5.15 | — | — |
| ubuntu | linux-azure-fips | — | — |
| ubuntu | linux-fips | — | — |
| ubuntu | linux-gcp | — | — |
| ubuntu | linux-gcp-5.15 | — | — |
| ubuntu | linux-gcp-fips | — | — |
| ubuntu | linux-gke | — | — |
| ubuntu | linux-gkeop | — | — |
| ubuntu | linux-hwe-5.15 | — | — |
| ubuntu | linux-ibm | — | — |
| ubuntu | linux-ibm-5.15 | — | — |
| ubuntu | linux-intel-iot-realtime | — | — |
| ubuntu | linux-intel-iotg | — | — |
| ubuntu | linux-intel-iotg-5.15 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandunshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'↗
- →Detect use of 'unshare' with overlay mount combined with 'setcap cap_setuid+eip' on a copied binary — this is the canonical one-liner exploit pattern for CVE-2023-32629/CVE-2023-2640 (GameOverlay). ↗
- →Monitor for creation of SUID bash binaries in world-writable directories such as /var/tmp/bash (chmod 4755), which is a common post-exploitation persistence step after GameOverlay privilege escalation. ↗
- →Alert on overlay filesystem mounts (mount -t overlay) initiated by non-root users inside user namespaces (unshare -rm), especially when combined with extended attribute manipulation — core mechanism of CVE-2023-32629. ↗
- →A public one-line exploit for CVE-2023-2640 was disclosed via Twitter on July 28, 2023 (one day after public disclosure), indicating rapid weaponization — treat any unshare+overlay+setcap combination on Ubuntu as high-confidence exploitation attempt. ↗
- ·CVE-2023-32629 affects Ubuntu-specific kernels only — the OverlayFS permission-check bypass via ovl_copy_up_meta_inode_data/ovl_do_setxattr is an Ubuntu kernel patch introduced vulnerability, not present in upstream Linux kernels. ↗
- ·The vulnerability affects not only bare-metal/VM Ubuntu hosts but also any containers (Docker and Kubernetes) running on vulnerable Ubuntu host kernels — container workloads share the host kernel and are equally exposed. ↗
- ·Exploitation requires the ability to create user namespaces (unshare -rm) — environments that restrict unprivileged user namespace creation (e.g., via sysctl kernel.unprivileged_userns_clone=0) may mitigate this attack vector. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Oracle) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 7.8
CVE-2024-35862 [HIGH] Linux kernel (Oracle) vulnerabilities
Title: Linux kernel (Oracle) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following
Ubuntu
Linux kernel (GCP) vulnerabilities
vendor_ubuntu·2026-05-22·CVSS 7.8
CVE-2023-2640 [HIGH] Linux kernel (GCP) vulnerabilities
Title: Linux kernel (GCP) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following sub
Ubuntu
Linux kernel (Xilinx ZynqMP) vulnerabilities
vendor_ubuntu·2026-05-19·CVSS 7.8
CVE-2026-23093 [HIGH] Linux kernel (Xilinx ZynqMP) vulnerabilities
Title: Linux kernel (Xilinx ZynqMP) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the fol
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-05-11·CVSS 7.8
CVE-2026-23273 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following s
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-05-07·CVSS 7.8
CVE-2023-2640 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystem
Ubuntu
Kernel Live Patch Security Notice
vendor_ubuntu·2023-09-05·CVSS 7.8
CVE-2023-31248 [HIGH] Kernel Live Patch Security Notice
Title: Kernel Live Patch Security Notice
Summary: Several security issues were fixed in the kernel.
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.(CVE-2023-3090)
Querijn Voet discovered that a race condition existed in the io_uring
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2023-3389)
It was discovered that the netfilter subsystem in the Linux kernel did not
properly handle some error conditions, leading to a
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2023-08-11·CVSS 7.1
CVE-2023-38430 [HIGH] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that a race condition existed in the f2fs file system in
the Linux kernel, leading to a null pointer dereferenc
Ubuntu
Linux kernel (IoT) vulnerabilities
vendor_ubuntu·2023-07-28·CVSS 7.8
CVE-2023-32629 [HIGH] Linux kernel (IoT) vulnerabilities
Title: Linux kernel (IoT) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-3090)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
It was discovered that the netfilter subsystem in the Linux kernel did not
properly handle some error conditions, leading to a use-after-
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2023-07-27·CVSS 7.1
CVE-2023-31248 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading t
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2023-07-26·CVSS 7.8
CVE-2023-35001 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-3090)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
It was discovered that the netfilter subsystem in the Linux kernel did not
properly handle some error conditions, leading to a use-after-free
v
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2023-07-25·CVSS 5.5
CVE-2023-21106 [MEDIUM] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
It was discovered that a race condition existed in Adreno GPU DRM driver in
the Linux kernel, leading to a double-free vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2023-21106)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this t
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2023-07-25·CVSS 7.8
CVE-2023-35001 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-3090)
Mingi Cho discovered that the netfilter subsystem in the Linux kernel did
not properly validate the status of a nft chain while per
Red Hat
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
vendor_redhat·2023-07-06·CVSS 7.8
CVE-2023-2640 [HIGH] kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
A flaw was found in the Linux Kernel where the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. This flaw allows a local attacker to gain elevated privileges due to skipped permission in checking for trusted.overlayfs.* xattrs (CVE-2023-2640). There is a similar local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_m
Red Hat
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
vendor_redhat·2023-07-06·CVSS 7.8
CVE-2023-32629 [HIGH] kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
kernel: overlayfs: In Ubuntu skip permission checking for trusted.overlayfs.* xattrs
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
A flaw was found in the Linux Kernel where the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. This flaw allows a local attacker to gain elevated privileges due to skipped permission in checking for trusted.overlayfs.* xattrs (CVE-2023-2640). There is a similar local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data due to skipped permission checks when calling ovl_do_setxattr on Ubuntu kernels (CVE-2023-32629).
Package: kernel (R
Debian
CVE-2023-32629: linux - Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up...
vendor_debian·2023·CVSS 7.8
CVE-2023-32629 [HIGH] CVE-2023-32629: linux - Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up...
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
Kernel Live Patch Security Notice
osv·2023-09-05·CVSS 7.8
CVE-2023-3090 [HIGH] Kernel Live Patch Security Notice
Kernel Live Patch Security Notice
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.(CVE-2023-3090)
Querijn Voet discovered that a race condition existed in the io_uring
subsystem in the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2023-3389)
It was discovered that the netfilter subsystem in the Linux kernel did not
properly handle some error conditions, leading to a use-after-free
vulnerability. A local attacker could use this to ca
OSV
linux-oem-6.1 vulnerabilities
osv·2023-08-11·CVSS 7.1
CVE-2022-48502 [HIGH] linux-oem-6.1 vulnerabilities
linux-oem-6.1 vulnerabilities
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that a race condition existed in the f2fs file system in
the Linux kernel, leading to a null pointer dereference vulnerability. An
attacker could use this to construct a malicious f2fs imag
OSV
linux-iot vulnerabilities
osv·2023-07-28·CVSS 7.8
CVE-2023-3090 [HIGH] linux-iot vulnerabilities
linux-iot vulnerabilities
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-3090)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges. (CVE-2023-32629)
It was discovered that the netfilter subsystem in the Linux kernel did not
properly handle some error conditions, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(
OSV
linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19 vulnerabilities
osv·2023-07-27·CVSS 7.1
CVE-2022-48502 [HIGH] linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19 vulnerabilities
linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19 vulnerabilities
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly check buffer indexes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48502)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, lin
osv·2023-07-26·CVSS 7.8
[HIGH] linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, lin
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp vulnerabilities
It was discovered that the IP-VLAN network driver for the Linux kernel did
not properly initialize memory in some situations, leading to an out-of-
bounds write vulnerability. An attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2023-3090)
Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in
the Ubuntu Linux kernel did not properly perform permission checks in
certain situations. A local attacker could possibly use this to gain
elevated privileges.
GHSA
GHSA-5xvw-32xh-2vr5: Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr o
ghsa_unreviewed·2023-07-26
CVE-2023-32629 [HIGH] CWE-863 GHSA-5xvw-32xh-2vr5: Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr o
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
OSV
linux-oem-6.0 vulnerabilities
osv·2023-07-25·CVSS 5.5
CVE-2022-47929 [MEDIUM] linux-oem-6.0 vulnerabilities
linux-oem-6.0 vulnerabilities
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
It was discovered that a race condition existed in Adreno GPU DRM driver in
the Linux kernel, leading to a double-free vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2023-21106)
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS
implementation in the Ubuntu Linux kernel did not properly perform
permission checks in certain situations. A local attacker could possibly
use this to gain elevated privileges. (CVE-2023-2640)
Mingi Cho discovered that the net
OSV
CVE-2023-32629: Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr o
osv·2023-06-06·CVSS 7.8
CVE-2023-32629 [HIGH] CVE-2023-32629: Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr o
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
VulnCheck
canonical ubuntu_linux Incorrect Authorization
vulncheck·2023·CVSS 7.8
CVE-2023-32629 [HIGH] canonical ubuntu_linux Incorrect Authorization
canonical ubuntu_linux Incorrect Authorization
Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels
Affected: canonical ubuntu_linux
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250903.pdf
Exploit PoC: https://vulncheck.com/xdb/07473779890d; https://vulncheck.com/xdb/782449f1b796; https://vulncheck.com/xdb/3aac2dc2833f; https://vulncheck.com/xdb/587a66484598; https://vulncheck.com/xdb/95c60baef58d
Wiz
Kubernetes Security Context for Secure Container Workloads | Wiz
blogs_wiz·2025-09-25
Kubernetes Security Context for Secure Container Workloads | Wiz
A Kubernetes security context defines the runtime privileges and access controls for pods and containers, making it one of the most critical levers for enforcing least privilege and reducing attack surface. By carefully configuring security contexts, you can increase the security posture of your workloads, mitigate potential threats, and simplify compliance.
## The benefits of implementing security contexts
runAsNonRoot
readOnlyRootFilesystem
Here are some key advantages of leveraging Kubernetes security contexts:
## Enhanced security posture
Security contexts provide strict, runtime-level controls over containers and pods, including running processes as non-root users, restricting access to the root filesystem, and limiting Linux capabilities. These security measures limit privilege
Wiz
Kubernetes Security Context for Secure Container Workloads | Wiz
blogs_wiz·2025-09-25
Kubernetes Security Context for Secure Container Workloads | Wiz
A Kubernetes security context defines the runtime privileges and access controls for pods and containers, making it one of the most critical levers for enforcing least privilege and reducing attack surface. By carefully configuring security contexts, you can increase the security posture of your workloads, mitigate potential threats, and simplify compliance.
## The benefits of implementing security contexts
By implementing security contexts, teams gain fine-grained controls at both the pod and container levels. This practice helps them mitigate common vulnerabilities and enforce least privilege policies via settings like `runAsNonRoot`, `readOnlyRootFilesystem`, and scoped Linux capabilities. It also strengthens cluster-level defenses by leveraging SELinux options and AppArmor profiles.
Wiz
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
blogs_wiz·2025-03-18
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
Privilege escalation is when an attacker exploits weaknesses in your environment or infrastructure to gain higher access and control within a system or network.
Most organizations take multiple measures to tighten security, including defining different privilege levels for different user accounts. For example, you wouldn’t give ordinary users access to your most confidential, business-critical files. These security measures frustrate attackers who access your system through lower-privileged user accounts—so they try to gain more privileges in order to achieve malicious goals such as exfiltrating or encrypting your data.
## Incident Response Playbook Template: Privilege Escalation in EKS
Detect, investigate, and respond to privilege escalation in Amazon EKS clusters with this comprehensi
Wiz
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
blogs_wiz·2025-03-18
What Is Privilege Escalation? Types and Prevention Strategies | Wiz
Privilege escalation is when an attacker exploits weaknesses in your environment or infrastructure to gain higher access and control within a system or network.
Most organizations take multiple measures to tighten security, including defining different privilege levels for different user accounts. For example, you wouldn’t give ordinary users access to your most confidential, business-critical files. These security measures frustrate attackers who access your system through lower-privileged user accounts—so they try to gain more privileges in order to achieve malicious goals such as exfiltrating or encrypting your data.
Incident Response Playbook Template: Privilege Escalation in EKSDetect, investigate, and respond to privilege escalation in Amazon EKS clusters with this comprehensive in
Wiz
What Is Cloud Identity Security? | Wiz
blogs_wiz·2024-10-18
What Is Cloud Identity Security? | Wiz
## What is cloud identity security?
Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse. The practice encompasses identity and access control mechanisms to allow or disallow access to human users (e.g., developers), service accounts, application identities, and other entities interacting with cloud services.
## Expose cloud risks no other tool can
Learn how Wiz Cloud surfaces toxic combinations across misconfigurations, identities, vulnerabilities, and data—so you can take action fast.
For information about how Wiz handles your personal data, please see our Privacy Policy .
## The shift from traditional to cloud identity management
Traditionally, identity security
Wiz
What Is Cloud Identity Security? | Wiz
blogs_wiz·2024-10-18
What Is Cloud Identity Security? | Wiz
## What is cloud identity security?
Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse. The practice encompasses identity and access control mechanisms to allow or disallow access to human users (e.g., developers), service accounts, application identities, and other entities interacting with cloud services.
###### Expose cloud risks no other tool can
Learn how Wiz Cloud surfaces toxic combinations across misconfigurations, identities, vulnerabilities, and data—so you can take action fast.
## The shift from traditional to cloud identity management
Traditionally, identity security was managed on-premises; all identities came from a single, limited but easy-to-control
Wiz
#8 - GameOverlay – privilege escalation vulnerabilities in Ubuntu | Wiz
blogs_wiz·2023-08-29·CVSS 7.8
[HIGH] #8 - GameOverlay – privilege escalation vulnerabilities in Ubuntu | Wiz
Podcast
## #8 - GameOverlay – privilege escalation vulnerabilities in Ubuntu
🍿🤏 Everything you need to know about this month's cloud security drama in the latest "Crying Out Cloud" episode!
In this edition, we explore THREE captivating stories 📚🔍
1️⃣ "GameOverlay" unveiled: Ubuntu's privilege escalation vulnerabilities 😱 — Wiz Research uncovered a pair of vulnerabilities that's affecting 40% of Ubuntu cloud machines! We've got the scoop on what you must know.
2️⃣ Unmasking "P2PInfect": The botnet targeting Redis! 🤖 — Ever wondered how a botnet hijacks your exposed Redis instances? Let's get into the nitty-gritty of this attack and find out how to defend your environment.
3️⃣ Jumpcloud's dance with North Korea: A supply chain saga 🕊️ -—Join us as we uncover the tale of Jumpcloud's b
Wiz
Crying Out Cloud - July Newsletter | Wiz
blogs_wiz·2023-08-01·CVSS 4.3
CVE-2023-2640 [MEDIUM] Crying Out Cloud - July Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights for July!
## ✨ Highlights
## GameOver (lay): local privilege escalation vulnerabilities in Ubuntu Linux
Wiz Research discovered CVE-2023-2640 and CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads.
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. Successful
Wiz
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
blogs_wiz·2023-07-27·CVSS 7.8
CVE-2023-2640 [HIGH] GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit. This makes the new discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.
The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in
Wiz
GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
blogs_wiz·2023-07-27·CVSS 7.8
CVE-2023-2640 [HIGH] GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. OverlayFS serves as an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit. This makes the new discovered vulnerabilities especially risky given the exploits for the past OverlayFS vulnerabilities work out of the box without any changes.
The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in
Crowdstrike
New Exploit: Rooting Non-Root Containers with GameOver(lay)
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] New Exploit: Rooting Non-Root Containers with GameOver(lay)
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
CTF
Analytics / README
ctf_writeups·CVSS 9.8
CVE-2023-38646 [CRITICAL] Analytics / README
# Analytics - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `3000`.
***User***: Identified the subdomain `data.analytics.htb` hosting Metabase. Exploited `CVE-2023-38646` to acquire a reverse shell as the `metabase` user. Discovered the password of the `metalytics` user in the `env`.
***Root***: Leveraged the OS version to execute GameOver(lay) Ubuntu Privilege Escalation, resulting in obtaining a `root` shell.
## Analytics Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[evyatar9@parrot]─[/hackthebox/Analytics]
└──╼ $ nmap -sV -sC -oA nmap/Analytics 10.10.11.233
# Nmap 7.93 scan initiated Sat Jan 6 23:15:29 2024 as:
http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629https://lists.ubuntu.com/archives/kernel-team/2023-July/140920.htmlhttps://ubuntu.com/security/notices/USN-6250-1https://wiz.io/blog/ubuntu-overlayfs-vulnerabilityhttp://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629https://lists.ubuntu.com/archives/kernel-team/2023-July/140920.htmlhttps://ubuntu.com/security/notices/USN-6250-1https://wiz.io/blog/ubuntu-overlayfs-vulnerability
2023-07-26
Published
Exploited in the wild