2 min read
CISA warns of active exploitation of Linux OverlayFS flaw
Tshedimoso Makhene
Jun 30, 2025 1:00:00 AM

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the active exploitation of a critical Linux vulnerability, CVE-2023-0386, which affects the widely used OverlayFS filesystem.
What happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE‑2023‑0386, a Linux kernel privilege escalation flaw, to its Known Exploited Vulnerabilities (KEV) catalog, stating it’s being actively exploited in the wild. Although originally patched in early 2023, new evidence suggests that attackers are still leveraging this vulnerability for local privilege escalation.
See also: Trend shows wave of cyberattacks exploiting service desks
Nature of the issue
The flaw resides in the OverlayFS subsystem of the Linux kernel. It mishandles UID mapping when copying a file from a nosuid mount to another overlay layer. This oversight allows an attacker to smuggle a set‑UID (SUID) binary with root ownership into a writable directory like /tmp, then execute it to gain elevated privileges.
Exploit mechanism
Security firm Datadog described the proof‑of‑concept: “tricking the kernel into creating a SUID binary owned by root… and executing it.” In May 2023, Wiz researchers highlighted similar OverlayFS bugs (GameOver(lay), CVE‑2023‑32629, CVE‑2023‑2640) with the same root‑escalation vector.
What was said
According to The Hacker News, CISA explained that “Linux kernel contains an improper ownership management vulnerability… how a user copies a capable file from a nosuid mount into another mount… This uid mapping bug allows a local user to escalate their privileges on the system.”
Furthermore, the company explained that CVE-2023-0386 stems from the kernel's failure to verify whether the user or group owning a file was mapped in the current user namespace when copying it from the overlay file system to the 'upper' directory. “This allows an unprivileged user to smuggle an SUID binary from a 'lower' directory to the 'upper' directory, by using OverlayFS as an intermediary,” the company said.
"These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine," Wiz researchers said.
Why it matters
The active exploitation of CVE‑2023‑0386 poses a serious risk to Linux systems across industries. Because OverlayFS is widely used in many major Linux distributions, including IoT devices (which may be used in healthcare),RHEL or CentOS, this vulnerability could allow attackers with local access to escalate their privileges to root, compromising the entire system.
The bottom line
Organizations still running unpatched Linux kernels are at risk. They should apply patches that address CVE‑2023‑0386 immediately, especially if using OverlayFS. Security teams should audit for this vulnerability now to prevent compromised systems from becoming entry points for privilege escalation.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
Why is this vulnerability a concern?
It’s being actively exploited in the wild. Once an attacker gains root access using this flaw, they can take complete control of the system, disable security software, steal sensitive data, or move laterally within a network.
What should I do if my systems are affected?
Update your Linux kernel to a patched version immediately. You should also monitor for unusual privilege escalation activity and enforce the principle of least privilege.
Where can I check if my system is vulnerable?
You can check your kernel version with uname -r and compare it to your distribution’s security advisories. Some Linux security tools or vendor patch trackers also flag known vulnerabilities like CVE-2023-0386.
How does this affect healthcare organizations?
Systems running EHR platforms, lab management systems, or medical devices on Linux could be vulnerable. A successful exploit could expose patient data or disrupt clinical operations, leading to compliance breaches and service outages.