A critical Linux kernel vulnerability, tracked as CVE-2023-0386, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. This flaw resides in the OverlayFS subsystem, a union filesystem used widely in modern Linux distributions and containerized environments. The vulnerability stems from improper ownership management when handling file operations across mounts with differing security flags (particularly nosuid settings), allowing local attackers to escalate privileges by bypassing typical user permission boundaries.

The core issue lies in a UID mapping flaw during copy operations between filesystem layers. If a capable (i.e., setuid-enabled or with Linux capabilities) binary is copied from a nosuid mount into another mount, the kernel incorrectly preserves its privilege settings without enforcing proper ownership rules. This behavior violates CWE-282 (Improper Ownership Management), enabling malicious local users to abuse the setuid mechanism, thus running crafted binaries with root-level privileges.

The impact is particularly severe in multi-tenant and containerized environments, where local privilege escalation can break isolation boundaries, compromise containers, and enable attackers to pivot across the infrastructure. Affected products include Linux kernels prior to commit 4f11ada10d0a, Red Hat Enterprise Linux (RHEL) 7, 8, 9, and several NetApp products. The CVSS score stands at (High), and successful exploitation requires a local account, OverlayFS mounts with conflicting nosuid flags, and access to capable binaries.

To mitigate this risk, CISA has mandated that federal agencies apply patches by July 8, 2025. Organizations should prioritize installing kernel updates that resolve the flaw or apply vendor-recommended mitigations. In the interim, those unable to patch should consider disabling OverlayFS, enforcing strict local access controls, or following BOD 22-01 guidance for cloud-based infrastructures. Patching is especially critical in production systems managing sensitive data or mission-critical operations, where maintaining strong privilege separation is vital.