You didn’t download a virus. You didn’t open attachments. You were just on a Linux server — and root was already in someone else’s hands
All an attacker needs is a bit of patience and a forgotten bug in OverlayFS.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a dangerous Linux kernel vulnerability — CVE-2023-0386 — to its Known Exploited Vulnerabilities (KEV) catalog. This bug, though patched back in early 2023, has seen a surge in real-world exploitation in recent months.
The vulnerability lies in the OverlayFS subsystem, which is designed to combine multiple filesystem layers and is widely used in containers and Live Linux distributions. The flaw occurs during the transfer of executables with extended privileges between mounted volumes: the system fails to verify if the user belongs to the correct namespace, allowing privilege escalation through improper access control.
According to a Datadog study published in May 2023, exploiting the bug is relatively easy. An attacker can create a file with the SUID flag in a directory like /tmp, effectively gaining root-level privileges. The simplicity of the approach makes the flaw especially attractive for mass exploitation via automated tools.
Though developers patched the issue promptly, CISA reported its active use by malicious groups in 2024. While exact exploitation details remain undisclosed, its inclusion in the KEV list confirms it is being actively abused in the wild.
The bug undermines a core security feature in Linux — namespaces, which are meant to isolate user privileges and processes. Due to flawed implementation in overlay filesystems, it becomes possible to move an executable object from one layer to another and run it with administrative rights. This is particularly critical in multi-user environments and containerized infrastructures.
Further risk emerged when researchers from Wiz uncovered two related vulnerabilities — CVE-2023-32629 and CVE-2023-2640 — collectively dubbed GameOver(lay). These flaws allowed creation of specially crafted binaries that executed with system-level privileges. As with CVE-2023-0386, the root cause was OverlayFS logic errors that bypassed fundamental security checks.
Given the growing threat, CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies to apply patches by July 8, 2025. The directive aims to reduce attack surfaces and strengthen the resilience of government IT infrastructure against privilege escalation techniques.
However, the threat isn’t limited to government systems. Any Linux-based environment relying on a vulnerable version of OverlayFS is at risk — particularly public servers, cloud platforms, and CI/CD systems that depend on correct isolation behavior.
Even with security policies like AppArmor or SELinux enabled, a working exploit can bypass restrictions if the kernel isn’t patched. A key risk factor is the autonomy of the attack: it doesn’t require external libraries and can be executed using only tools already present in the system.
Effective protection means more than just a firewall or antivirus — it requires continuous system updates, active monitoring, and auditing of SUID file permissions, especially in open or distributed environments.
