On June 18, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical Linux kernel vulnerability, CVE‑2023‑0386, to its Known Exploited Vulnerabilities (KEV) catalog.
This flaw, found in the OverlayFS subsystem, is currently being actively exploited in the wild and allows local privilege escalation to root. This is especially concerning given recent attacks such as the PumaBot SSH hijack botnet, which exploit similar attack vectors to gain unauthorized access.
Technical Overview
- CVE‑2023‑0386 has a CVSS score of 7.8 and affects the Linux kernel’s implementation of OverlayFS.
- The vulnerability stems from improper permission checks when copying files between different mount points in OverlayFS. Specifically, if a file with the setuid bit is copied, the kernel may not properly verify ownership (UID/GID), allowing an attacker to create a setuid root binary. Securing file access permissions, similar to restricting users to FTP access only, can help reduce attack surfaces.
- A local attacker can exploit this to gain root privileges on the affected system.
- The vulnerability was patched in 2023, but exploitation in the wild has only recently been observed and confirmed by CISA.