CVE-2023-0386
Published: 22 March 2023
Summary
CVE-2023-0386 is a high-severity Improper Ownership Management (CWE-282) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-0386 is a privilege-escalation flaw in the Linux kernel's OverlayFS subsystem. The issue stems from improper UID mapping when a user copies a file that carries capabilities from a nosuid mount into another mount, allowing unauthorized execution of setuid binaries with elevated privileges. The vulnerability affects the kernel's handling of OverlayFS and is tracked under CWE-282.
A local attacker with a low-privileged account can exploit the flaw by performing the copy operation across mounts, resulting in the ability to execute code with root-level capabilities. The attack requires no user interaction and yields full confidentiality, integrity, and availability impact on the host, consistent with the CVSS 7.8 rating.
Kernel developers addressed the issue with commit 4f11ada10d0a. Debian issued updated packages through its LTS channels in 2023 and 2024, while NetApp published an advisory confirming affected storage products and recommending firmware or kernel updates.
EPSS for the CVE rose from lower values after disclosure to a peak of 0.6156 before receding to the current 0.4852, indicating measurable post-disclosure exploitation interest that later declined.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12447
Vulnerability details
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount…
more
into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
- CWE(s)
- KEV Date Added
- 17 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces file permission, capability, and nosuid mount restrictions that the OverlayFS uid-mapping flaw bypasses to allow unauthorized setuid execution.
Requires timely application of the kernel patch (commit 4f11ada10d0a) that corrects the OverlayFS uid-mapping logic and eliminates the privilege-escalation vector.
Limits the initial privileges granted to local users so that even a successful bypass of OverlayFS restrictions yields minimal additional capability.