CISA warns of attackers exploiting Linux flaw with PoC exploit

CISA has warned U.S. federal agencies about attackers targeting a high-severity vulnerability in the Linux kernel’s OverlayFS subsystem that allows them to gain root privileges.

This local privilege escalation security flaw (CVE-2023-0386) is caused by a Linux kernel improper ownership management weakness and was patched in January 2023 and publicly disclosed two months later.

Multiple proof-of-concept (PoC) exploits were also shared on GitHub starting in May 2023, making exploitation attempts easier to pull off and pushing the vulnerability to the top of Linux admins’ patching priority lists.

According to an analysis by Datadog Security Labs, CVE-2023-0386 is trivial to exploit and impacts a wide range of Linux distributions, including popular ones like Debian, Red Hat, Ubuntu, and Amazon Linux, if they’re using a kernel version lower than 6.2.

“Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount,” CISA explains. “This uid mapping bug allows a local user to escalate their privileges on the system.”

​As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. federal agencies now must secure their networks against ongoing attacks targeting the CVE-2023-0386 flaw added to CISA’s Known Exploited Vulnerabilities catalog.

The cybersecurity agency has given Federal Civilian Executive Branch (FCEB) agencies three weeks to patch their Linux systems by July 8.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an advisory that tags CVE-2023-0386 as actively exploited for the first time since it was patched.

On Tuesday, security researchers with the Qualys Threat Research Unit (TRU) also warned that threat actors could exploit two recently patched local privilege escalation (LPE) vulnerabilities to get root on systems running major Linux distributions.

Qualys TRU developed proof-of-concept exploits and successfully targeted CVE-2025-6019 to gain root privileges on Debian, Ubuntu, Fedora, and openSUSE systems.