Cyber Resilience

CVE-2023-0386

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 March 2023

Published
22 March 2023
Modified
04 November 2025
KEV Added
17 June 2025
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4852 97.8th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0386 is a high-severity Improper Ownership Management (CWE-282) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-0386 is a privilege-escalation flaw in the Linux kernel's OverlayFS subsystem. The issue stems from improper UID mapping when a user copies a file that carries capabilities from a nosuid mount into another mount, allowing unauthorized execution of setuid binaries with elevated privileges. The vulnerability affects the kernel's handling of OverlayFS and is tracked under CWE-282.

A local attacker with a low-privileged account can exploit the flaw by performing the copy operation across mounts, resulting in the ability to execute code with root-level capabilities. The attack requires no user interaction and yields full confidentiality, integrity, and availability impact on the host, consistent with the CVSS 7.8 rating.

Kernel developers addressed the issue with commit 4f11ada10d0a. Debian issued updated packages through its LTS channels in 2023 and 2024, while NetApp published an advisory confirming affected storage products and recommending firmware or kernel updates.

EPSS for the CVE rose from lower values after disclosure to a peak of 0.6156 before receding to the current 0.4852, indicating measurable post-disclosure exploitation interest that later declined.

EU & UK References

Vulnerability details

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount…

more

into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

CWE(s)
KEV Date Added
17 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

debian
debian linux
10.0
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h410s firmware
all versions
netapp
h410c firmware
all versions
canonical
ubuntu linux
18.04, 20.04, 22.04
linux
linux kernel
6.2 · 5.11 — 5.15.91 · 5.16 — 6.1.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces file permission, capability, and nosuid mount restrictions that the OverlayFS uid-mapping flaw bypasses to allow unauthorized setuid execution.

prevent

Requires timely application of the kernel patch (commit 4f11ada10d0a) that corrects the OverlayFS uid-mapping logic and eliminates the privilege-escalation vector.

prevent

Limits the initial privileges granted to local users so that even a successful bypass of OverlayFS restrictions yields minimal additional capability.

References