CISA has issued a warning to U.S. federal agencies, highlighting that attackers are actively targeting a high-severity vulnerability in the Linux kernel’s OverlayFS subsystem. This flaw enables them to gain root privileges on affected systems.
This local privilege escalation security flaw, tracked as CVE-2023-0386, stems from a weakness in the Linux kernel’s ownership management. Developers patched the issue in January 2023 and publicly disclosed it two months later.
Starting in May 2023, researchers shared multiple proof-of-concept (PoC) exploits on GitHub. Consequently, these public PoCs made exploitation attempts easier to execute and pushed the vulnerability to the top of Linux administrators’ patching priority lists.
Moreover, an analysis by Datadog Security Labs reveals that CVE-2023-0386 is trivial to exploit. It affects a wide range of Linux distributions—including Debian, Red Hat, Ubuntu, and Amazon Linux—provided they are running kernel versions below 6.2.
CISA further explains, “The Linux kernel contains an improper ownership management vulnerability, where unauthorized access occurs during the execution of the setuid file with capabilities. This issue arises in the OverlayFS subsystem when a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.”
Under the requirements of Binding Operational Directive (BOD) 22-01, issued in November 2021, U.S. federal agencies must now take action to defend their networks from ongoing attacks exploiting CVE-2023-0386, which CISA recently added to its Known Exploited Vulnerabilities catalog.
To comply, the cybersecurity agency has given Federal Civilian Executive Branch (FCEB) agencies a three-week deadline to patch vulnerable Linux systems by July 8.
CISA emphasized in its advisory, “These types of vulnerabilities frequently serve as attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” This marks the first time CVE-2023-0386 has been officially tagged as actively exploited since it was initially patched.
Additionally, on Tuesday, security researchers from the Qualys Threat Research Unit (TRU) issued a separate warning. They reported that threat actors could exploit two recently patched local privilege escalation (LPE) vulnerabilities to gain root access on systems running major Linux distributions.
To demonstrate the risk, Qualys TRU developed proof-of-concept exploits and successfully used CVE-2025-6019 to obtain root privileges on Debian, Ubuntu, Fedora, and openSUSE systems.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
