What is CVE-2023-0386?
CVE-2023-0386 is a local privilege escalation vulnerability in the Linux kernel OverlayFS subsystem affecting kernels 5.11 through 6.1.8. (excluding 5.15.91). The flaw lies in the way OverlayFS handles file copies between mounts when one of the mounts was created with the nosuid option. During the copy-up operation, file capabilities from a source setuid binary can be improperly preserved, even though the destination mount is supposed to strip them. A low-privileged local user can therefore obtain elevated capabilities, potentially exploiting the system further with root privileges.
When was the vulnerability discovered?
The issue was publicly disclosed in the National Vulnerability Database on March 22, 2023. A patch (commit 4f11ada10d0a) had already been merged into the mainline kernel earlier in February 2023 and later back-ported by major distributions. Proof-of-concept exploit code surfaced on open-source repositories soon after the issue was disclosed.
Armis Centrix™ for Early Warning added CVE-2023-0386 to the list of known vulnerabilities being exploited in the wild on June 14, 2023. By comparison, CISA placed CVE-2023-0386 into its Known Exploited Vulnerabilities catalog on June 17, 2025, making Armis Centrix™ for Early Warning 734 days earlier.

Significance of CVE-2023-0386:
Vulnerable component: The issue is in overlayFS’s copy_up function. A corner case exists when there is a mapping of the invalid uid/gid (65534 by default) in the user namespace. In this corner case, the vulnerable implementation does not fail in an exception, allowing the copied binary to retain effective capabilities.
Exploitation scenario: Any user who can create a writable mount and has read access to a capable setuid binary can craft a new filesystem overlay, copy the binary, and then execute it to gain elevated privileges on the host. Public PoC scripts have been published on open-source repositories
Impact and blast radius: Successful exploitation grants attackers elevated privileges on the victim host. This may lead to elevated system commands to further compromise the host.
Value of Timely Awareness: Local privilege-escalation bugs allow for lateral movement, breakout from restricted shells, and persistence. Early knowledge enables defenders to patch swiftly, adjust EDR detection rules for suspicious mount operations, and tighten policies before attackers weaponize the weakness at scale.
Mitigation and Protection:
Proactive defense and workarounds: Upgrade to a kernel version incorporating commit 4f11ada10d0a or the vendor-supplied back-port. Where immediate patching is not possible, restrict the creation of new mounts with the overlay filesystem.
Continuous monitoring and updates: Security teams should track vendor advisories, subscribe to kernel-related mailing lists, and apply new kernels during the next maintenance window. Teams should also monitor SIEM for abnormal mount activities. Routine vulnerability scanning and configuration management will further reduce exposure to the vulnerability.
Stay vigilant and ensure your systems are up-to-date to defend against evolving cybersecurity threats.
Armis Centrix™ for Early Warning is the proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber risk effectively. Looking for real-time context, prioritization, and actionable insights tailored to your specific industry and threat levels? Make sure to check out our Armis Vulnerability Intelligence Database.