Known Exploited Vulnerability
7.8
HIGH CVSS 3.1
CVE-2023-0386
Linux Kernel Improper Ownership Management Vulnerability - [Actively Exploited]
Description

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

INFO

Published Date :

March 22, 2023, 9:15 p.m.

Last Modified :

June 17, 2026, 5:25 a.m.

Remotely Exploit :

No
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a ; https://access.redhat.com/security/cve/cve-2023-0386 ; https://security.netapp.com/advisory/ntap-20230420-0004/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-0386

Affected Products

The following products are affected by CVE-2023-0386 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Netapp h410c_firmware
2 Netapp h300s_firmware
3 Netapp h500s_firmware
4 Netapp h700s_firmware
5 Netapp h410s_firmware
6 Netapp h300s
7 Netapp h410s
8 Netapp h500s
9 Netapp h700s
10 Netapp h410c
1 Linux linux_kernel
1 Canonical ubuntu_linux
1 Debian debian_linux
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH 134c704f-9b21-4f2e-91b3-4a467353bcc0
Solution
This vulnerability requires updating the Linux kernel and related packages to address the privilege escalation.
  • Update the affected kernel packages.
  • Update other affected packages as needed.
  • Reboot the system if required by updates.
Public PoC/Exploit Available at Github

CVE-2023-0386 has a 105 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-0386 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-0386 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Copy fake in-memory files to disk using overlayFS

Makefile C

Updated: 1 week ago
0 stars 0 fork 0 watcher
Born at : June 28, 2026, 7:50 p.m. This repo has been linked 1 different CVEs too.

I just solved TwoMillion on Hack The Box!

Updated: 1 week, 2 days ago
0 stars 0 fork 0 watcher
Born at : June 26, 2026, 5:03 p.m. This repo has been linked 1 different CVEs too.

This repository contains my notes on Linux Privilege Escalation.

Updated: 1 week, 4 days ago
0 stars 0 fork 0 watcher
Born at : June 25, 2026, 7:53 a.m. This repo has been linked 7 different CVEs too.

None

Updated: 2 weeks, 1 day ago
1 stars 0 fork 0 watcher
Born at : June 20, 2026, 7:20 p.m. This repo has been linked 3 different CVEs too.

Next-gen container runtime with zero-copy DAG storage and P2P image sync. Run OCI images as Linux containers, Firecracker microVMs, or Apple Silicon VMs.

Makefile Go Shell Rust

Updated: 3 weeks, 2 days ago
2 stars 0 fork 0 watcher
Born at : June 11, 2026, 11:39 p.m. This repo has been linked 3 different CVEs too.

From deobfuscating code.js to root, CVE-2023-0386

cve-2023-0386 os-command-injection privesc reverse-shell web-application-security

Makefile C

Updated: 3 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 11, 2026, 5:05 a.m. This repo has been linked 1 different CVEs too.

Walkthrough of Retired Machines

HTML

Updated: 1 day, 8 hours ago
1 stars 0 fork 0 watcher
Born at : June 10, 2026, 1:07 p.m. This repo has been linked 1 different CVEs too.

HackTheBox writeups for retired machines: Cap, TwoMillion, Support. Linux/Windows pentesting and AD attacks.

active-directory ctf cybersecurity hackthebox penetration-testing writeups

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : June 1, 2026, 2:23 p.m. This repo has been linked 1 different CVEs too.

Ethical hacking machine writeups - full attack chains from recon to root with privilege escalation and persistence

ctf cybersecurity ethical-hacking linux offensive-security pentesting privilege-escalation red-team

Updated: 3 weeks, 1 day ago
1 stars 0 fork 0 watcher
Born at : May 27, 2026, 11:31 p.m. This repo has been linked 1 different CVEs too.

Operator-focused, detail-oriented enumeration script kit for enumerating large networks.

Makefile Shell Python C PowerShell Batchfile

Updated: 4 weeks ago
0 stars 0 fork 0 watcher
Born at : May 23, 2026, 3:50 p.m. This repo has been linked 15 different CVEs too.

Multi-architecture Linux privilege escalation toolkit with 19 pre-built and runtime-compilable exploits. Auto-detects kernel version, filters patched exploits, tries each until root.

ctf cybersecurity exploit gtfobins kernel-exploit linux penetration-testing privilege-escalation security

Makefile Shell C Go

Updated: 2 weeks, 2 days ago
90 stars 17 fork 17 watcher
Born at : May 21, 2026, 7:33 p.m. This repo has been linked 16 different CVEs too.

None

Jinja Shell

Updated: 1 week, 4 days ago
0 stars 0 fork 0 watcher
Born at : May 20, 2026, 11:44 a.m. This repo has been linked 1 different CVEs too.

Curated Linux LPE corpus — 28 modules from 2016 to 2026, with detection rules. One command, safest-first root: skeletonkey --auto --i-know

auditd blueteam cve detection-rules exploit-development kernel-security linux-security pentesting privilege-escalation redteam sigma

Makefile C Shell Assembly Python

Updated: 1 month ago
14 stars 1 fork 1 watcher
Born at : May 16, 2026, 11:26 p.m. This repo has been linked 4 different CVEs too.

Shinsenkyo — Discord-based C2 bot for Android device management. 200+ commands, live screen streaming, AI co-pilot, worm module deployment, and Jigokuraku UI theme.

android android-security c2-framework command-and-control discord-bot discord-c2 discord-js nodejs penetration-testing remote-administration hells-paradise jigokuraku

Dockerfile JavaScript Shell

Updated: 3 days, 17 hours ago
0 stars 0 fork 0 watcher
Born at : May 14, 2026, 1:28 p.m. This repo has been linked 2 different CVEs too.

None

Shell C

Updated: 1 month, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : May 12, 2026, 12:20 p.m. This repo has been linked 8 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-0386 vulnerability anywhere in the article.

  • The Cyber Express
BadCam Attack Turns Trusted Linux Webcams into Stealthy USB Weapons

A new class of USB-based attacks has come to light. These attacks are not just targeting removable devices, but existing, trusted peripherals already connected to systems: Linux webcams. Attackers can ... Read more

Published Date: Aug 11, 2025 (10 months, 3 weeks ago)
  • The Cyber Express
CVE-2025-49763: Apache Traffic Server Vulnerability Enables Memory Exhaustion Attacks

A security flaw in Apache Traffic Server (ATS) is targeting cloud service providers worldwide. The vulnerability, identified as CVE-2025-49763, exposes affected systems to denial-of-service (DoS) atta ... Read more

Published Date: Jun 20, 2025 (1 year ago)
  • The Cyber Express
CISA Flags CVE-2023-0386 as Actively Exploited Linux Kernel Privilege Escalation Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386. The vulnerabilit ... Read more

Published Date: Jun 18, 2025 (1 year ago)
  • security.nl
Cyberagentschap VS meldt actief misbruik van lek in Linux-kernel

Aanvallers maken actief misbruik van een kwetsbaarheid in de Linux-kernel waardoor een niet-geprivilegeerde lokale gebruiker rootrechten kan krijgen. Dat laat het Amerikaanse cyberagentschap CISA wete ... Read more

Published Date: Jun 18, 2025 (1 year ago)
  • The Hacker News
CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been ... Read more

Published Date: Jun 18, 2025 (1 year ago)
  • Daily CyberSecurity
Linux Kernel Flaw (CVE-2023-0386) Actively Exploited for Root Privilege Escalation, PoC Available

A dangerous Linux privilege escalation vulnerability, CVE-2023-0386, has officially entered the CISA Known Exploited Vulnerabilities (KEV) Catalog amid confirmed reports of active exploitation in the ... Read more

Published Date: Jun 18, 2025 (1 year ago)

The following table lists the changes that have been made to the CVE-2023-0386 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    Jun. 17, 2026

    Action Type Old Value New Value
    Added Affected [{'vendor': 'n/a', 'product': 'Kernel', 'versions': [{'status': 'affected', 'version': 'Linux kernel 6.2-rc6'}]}]
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 17, 2026

    Action Type Old Value New Value
    Added SSVC {'id': 'CVE-2023-0386', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'active'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2025-07-17T03:55:31.499341Z'}
  • Modified Analysis by [email protected]

    Nov. 04, 2025

    Action Type Old Value New Value
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Oct. 22, 2025

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Oct. 21, 2025

    Action Type Old Value New Value
    Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Oct. 21, 2025

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-0386
  • Modified Analysis by [email protected]

    Jun. 18, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* *cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* *cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*
    Changed Reference Type CVE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Types: Mailing List, Patch, Vendor Advisory CVE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Types: Broken Link, Mailing List, Patch, Vendor Advisory
    Changed Reference Type Red Hat, Inc.: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Types: Mailing List, Patch, Vendor Advisory Red Hat, Inc.: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Types: Broken Link, Mailing List, Patch, Vendor Advisory
    Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List, Third Party Advisory
    Added Reference Type Red Hat, Inc.: https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Types: Mailing List, Third Party Advisory
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jun. 18, 2025

    Action Type Old Value New Value
    Added Date Added 2025-06-17
    Added Due Date 2025-07-08
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name Linux Kernel Improper Ownership Management Vulnerability
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 16, 2025

    Action Type Old Value New Value
    Removed CWE CWE-282
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 26, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-282
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html
    Added Reference https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a
    Added Reference https://lists.debian.org/debian-lts-announce/2023/06/msg00008.html
    Added Reference https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
    Added Reference https://security.netapp.com/advisory/ntap-20230420-0004/
    Added Reference https://www.debian.org/security/2023/dsa-5402
  • CVE Modified by [email protected]

    Jun. 27, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html [No types assigned]
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • Modified Analysis by [email protected]

    Jun. 26, 2023

    Action Type Old Value New Value
    Changed Reference Type http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html No Types Assigned http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html Third Party Advisory
    Changed Reference Type https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Mailing List, Patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Mailing List, Patch, Vendor Advisory
    Changed Reference Type https://lists.debian.org/debian-lts-announce/2023/06/msg00008.html No Types Assigned https://lists.debian.org/debian-lts-announce/2023/06/msg00008.html Mailing List, Third Party Advisory
    Changed Reference Type https://security.netapp.com/advisory/ntap-20230420-0004/ No Types Assigned https://security.netapp.com/advisory/ntap-20230420-0004/ Third Party Advisory
    Changed Reference Type https://www.debian.org/security/2023/dsa-5402 No Types Assigned https://www.debian.org/security/2023/dsa-5402 Third Party Advisory
    Changed CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 6.2 *cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:* OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.91 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.9 *cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*
  • CVE Modified by [email protected]

    Jun. 22, 2023

    Action Type Old Value New Value
    Added Reference http://packetstormsecurity.com/files/173087/Kernel-Live-Patch-Security-Notice-LSN-0095-1.html [No Types Assigned]
  • CVE Modified by [email protected]

    Jun. 05, 2023

    Action Type Old Value New Value
    Added Reference https://lists.debian.org/debian-lts-announce/2023/06/msg00008.html [No Types Assigned]
  • CVE Modified by [email protected]

    May. 14, 2023

    Action Type Old Value New Value
    Added Reference https://www.debian.org/security/2023/dsa-5402 [No Types Assigned]
  • CVE Modified by [email protected]

    Apr. 20, 2023

    Action Type Old Value New Value
    Added Reference https://security.netapp.com/advisory/ntap-20230420-0004/ [No Types Assigned]
  • Initial Analysis by [email protected]

    Mar. 27, 2023

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a No Types Assigned https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a Mailing List, Patch
    Added CWE NIST NVD-CWE-Other
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 6.2 *cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.