CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability

Avatar
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild. The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.

The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible systems. It was patched in early 2023.

“Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount,” the agency said.

“This uid mapping bug allows a local user to escalate their privileges on the system.”

It’s currently not known how the security flaw is being exploited in the wild. In a report published in May 2023, Datadog said the vulnerability is trivial to exploit and that it works by tricking the kernel into creating a SUID binary owned by root in a folder like “/tmp” and executing it.

“CVE-2023-0386 lies in the fact that when the kernel copied a file from the overlay file system to the ‘upper’ directory, it did not check if the user/group owning this file was mapped in the current user namespace,” the company said.

“This allows an unprivileged user to smuggle an SUID binary from a ‘lower’ directory to the ‘upper’ directory, by using OverlayFS as an intermediary.”

Later that year, cloud security firm Wiz detailed two security vulnerabilities dubbed GameOver(lay) (CVE-2023-32629 and CVE-2023-2640) affecting Unix systems that led to similar consequences as CVE-2023-0386.

“These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine,” Wiz researchers said.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by July 8, 2025, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication

Next Post

Water Curse Employs 76 GitHub Accounts to Deliver Multi-Stage Malware Campaign

Related Posts

⚡ THN Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More

Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that’s exactly what we saw in last week’s activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature,
Avatar
Read More

Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command
Avatar
Read More