Cyber Resilience

CVE-2021-3493

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 April 2021

Published
17 April 2021
Modified
28 October 2025
KEV Added
20 October 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7996 99.1th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-3493 is a high-severity Privilege Context Switching Error (CWE-270) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The vulnerability CVE-2021-3493 resides in the overlayfs implementation within the Linux kernel. It arises from insufficient validation of file capability settings on files in an underlying filesystem when unprivileged user namespaces are in use. The flaw is exacerbated by an Ubuntu-specific kernel patch that permits unprivileged overlay mounts, affecting systems running affected Ubuntu kernels.

A local attacker who can create unprivileged user namespaces can exploit the issue to set arbitrary file capabilities. This enables the attacker to gain elevated privileges, with a CVSS score of 8.8 reflecting the high impact on confidentiality, integrity, and availability under a local attack vector.

Ubuntu addressed the vulnerability through USN-4917-1, which includes updated kernel packages that enforce proper capability validation for overlayfs. An upstream kernel commit also resolves the validation gap for user namespaces.

Public exploit code has been published demonstrating local privilege escalation on vulnerable Ubuntu systems.

EU & UK References

Vulnerability details

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch…

more

carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

CWE(s)
KEV Date Added
20 October 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

canonical
ubuntu linux
≤ 18.04 · 18.04.1 — 20.04 · ≤ 20.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces proper validation of file capabilities when unprivileged user namespaces and overlay mounts are used, preventing the unauthorized privilege escalation in overlayfs.

prevent

Ensures processes cannot acquire elevated file capabilities beyond their assigned privileges, blocking the exact local escalation path the CVE enables.

prevent

Requires timely application of kernel patches (e.g., USN-4917-1) that restore correct capability validation for overlayfs under user namespaces.

References