The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux kernel vulnerability, CVE-2023-0386, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Originally patched in early 2023, this flaw carries a CVSS score of 7.8 and involves improper ownership management within the Linux kernel's OverlayFS subsystem. The vulnerability allows a local attacker to escalate privileges by copying capable files from a nosuid mount into another mount, bypassing ownership checks.

Security researchers from Datadog and Wiz have demonstrated how the vulnerability can be easily exploited. Datadog explained that attackers can trick the kernel into creating a root-owned SUID binary in a temporary directory like /tmp, enabling privilege escalation. The flaw arises because the kernel fails to verify whether file owners are mapped in the current user namespace during copy operations. Wiz later highlighted similar issues through two other vulnerabilities—CVE-2023-32629 and CVE-2023-2640—on Ubuntu systems, which also allow unauthorized users to gain root access.

Although the precise methods used in active attacks remain unclear, the potential for exploitation is significant. As a result, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by July 8, 2025, to mitigate the risks posed by these escalating threats. This move underscores the critical importance of promptly addressing kernel-level vulnerabilities in widely used systems like Linux.