CVE-2021-3493
Published: 17 April 2021
Summary
CVE-2021-3493 is a high-severity Privilege Context Switching Error (CWE-270) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability CVE-2021-3493 resides in the overlayfs implementation within the Linux kernel. It arises from insufficient validation of file capability settings on files in an underlying filesystem when unprivileged user namespaces are in use. The flaw is exacerbated by an Ubuntu-specific kernel patch that permits unprivileged overlay mounts, affecting systems running affected Ubuntu kernels.
A local attacker who can create unprivileged user namespaces can exploit the issue to set arbitrary file capabilities. This enables the attacker to gain elevated privileges, with a CVSS score of 8.8 reflecting the high impact on confidentiality, integrity, and availability under a local attack vector.
Ubuntu addressed the vulnerability through USN-4917-1, which includes updated kernel packages that enforce proper capability validation for overlayfs. An upstream kernel commit also resolves the validation gap for user namespaces.
Public exploit code has been published demonstrating local privilege escalation on vulnerable Ubuntu systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-26815
Vulnerability details
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch…
more
carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
- CWE(s)
- KEV Date Added
- 20 October 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces proper validation of file capabilities when unprivileged user namespaces and overlay mounts are used, preventing the unauthorized privilege escalation in overlayfs.
Ensures processes cannot acquire elevated file capabilities beyond their assigned privileges, blocking the exact local escalation path the CVE enables.
Requires timely application of kernel patches (e.g., USN-4917-1) that restore correct capability validation for overlayfs under user namespaces.