Back to Intelligence

CVE-2023-2640 & CVE-2023-32629: Ubuntu Linux Kernel OverlayFS Privilege Escalation — Detection and Remediation Guide

SA
Security Arsenal Team
May 23, 2026
7 min read

Local attackers can exploit OverlayFS permission check flaws in Ubuntu Linux kernel to gain elevated privileges. Immediate patching required for Ubuntu GCP environments.

Introduction

Two critical privilege escalation vulnerabilities (CVE-2023-2640 and CVE-2023-32629) have been identified in the Ubuntu Linux kernel's OverlayFS implementation. These flaws, discovered by security researchers Stonejiajia, Shir Tamari, and Sagi Tzadik, allow local attackers to bypass critical permission checks and potentially gain root-level access to affected systems. The vulnerability is particularly concerning for containerized environments and multi-tenant systems where OverlayFS is commonly used.

The USN-8297-1 security notice also addresses additional kernel vulnerabilities affecting the ARM64 architecture, block layer subsystem, drivers core, Bluetooth drivers, and DMA subsystems—making this a comprehensive kernel update that demands immediate attention from security teams.

Technical Analysis

Affected Products and Platforms

  • Product: Ubuntu Linux Kernel (GCP)
  • Platform: Linux
  • Security Notice: USN-8297-1

CVE Details

CVE-2023-2640 and CVE-2023-32629

  • Component: OverlayFS implementation in Ubuntu Linux kernel
  • Vulnerability Type: Improper Permission Checks (CWE-862)
  • Impact: Local Privilege Escalation
  • Access Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None

How the Vulnerability Works

OverlayFS is a unioning filesystem that allows combining multiple directories into a single logical view. It is widely used in container technologies like Docker, containerd, and in filesystem snapshot systems. The vulnerability stems from improper permission checks during certain OverlayFS operations.

When a local attacker creates specific directory structures or files in the upper layer of an overlay mount, the kernel may fail to properly validate permissions when operations are performed through the OverlayFS interface. This can allow the attacker to:

  1. Create files with elevated permissions (SUID/SGID bits)
  2. Execute code with higher privileges than originally granted
  3. Bypass access controls on files that should be restricted

The attack chain is straightforward:

  1. Attacker gains local access (via another vulnerability, compromised account, or container escape)
  2. Attacker crafts exploit leveraging OverlayFS permission check flaw
  3. Attacker executes crafted operation to escalate privileges to root

Exploitation Status

These vulnerabilities have been publicly disclosed by researchers including Shir Tamari (known for Linux kernel research). Given the technical nature of the vulnerability and the history of similar OverlayFS vulnerabilities being exploited in the wild, security teams should treat these as active threats and assume exploitation capabilities exist.

While not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at time of publication, the ease of exploitation and widespread use of OverlayFS in container environments makes these CVEs critical for immediate remediation.

Detection & Response

Sigma Rules

YAML
---
title: Linux Kernel OverlayFS Privilege Escalation - SUID File Creation
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential local privilege escalation via OverlayFS vulnerabilities (CVE-2023-2640, CVE-2023-32629) by identifying SUID file creation in OverlayFS mount points
references:
  - https://ubuntu.com/security/notices/USN-8297-1
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629
author: Security Arsenal
date: 2025/04/16
tags:
  - attack.privilege_escalation
  - attack.t1068
  - cve.2023.2640
  - cve.2023.32629
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetPath|contains:
      - '/overlay'
      - 'merged/'
      - 'upper/'
  filter_suid:
    mode|contains: 's'
  condition: selection and filter_suid
falsepositives:
  - Legitimate container operations (Docker, containerd)
  - Authorized system administration
level: high
---
title: Linux Kernel OverlayFS Exploit Patterns
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects execution of common exploit patterns associated with OverlayFS privilege escalation vulnerabilities
references:
  - https://ubuntu.com/security/notices/USN-8297-1
author: Security Arsenal
date: 2025/04/16
tags:
  - attack.privilege_escalation
  - attack.t1068
  - cve.2023.2640
  - cve.2023.32629
logsource:
  category: process_creation
  product: linux
detection:
  selection_compile:
    CommandLine|contains:
      - 'gcc -o'
      - 'cc -o'
  selection_temp:
    ImagePath|contains:
      - '/tmp/'
      - '/dev/shm/'
      - '/var/tmp/'
  selection_overlay:
    CommandLine|contains:
      - 'overlay'
      - 'fuse'
  selection_chmod:
    CommandLine|contains:
      - 'chmod 4755'
      - 'chmod u+s'
  condition: (selection_compile and selection_temp) or (selection_overlay and selection_chmod)
falsepositives:
  - Legitimate software development
  - System administration testing
level: medium
---
title: Linux Kernel OverlayFS Mount from Suspicious Context
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects OverlayFS mount operations from user-controlled directories that may indicate exploitation attempts
references:
  - https://ubuntu.com/security/notices/USN-8297-1
author: Security Arsenal
date: 2025/04/16
tags:
  - attack.privilege_escalation
  - attack.t1068
  - cve.2023.2640
  - cve.2023.32629
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ImagePath|endswith: '/bin/mount'
    CommandLine|contains: '-t overlay'
  context:
    CommandLine|contains:
      - '/tmp/'
      - '/dev/shm/'
      - '/var/tmp/'
      - '/home/'
  condition: selection and context
falsepositives:
  - Docker/container operations
  - User namespaces operations
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for potential OverlayFS privilege escalation in Linux Syslog
let timeframe = 1d;
Syslog
| where TimeGenerated >= ago(timeframe)
| where SyslogMessage contains "overlay"
| where SyslogMessage contains "mount" 
   or SyslogMessage contains "chmod"
   or SyslogMessage contains "suid"
| project TimeGenerated, Computer, Facility, ProcessName, SyslogMessage
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for SUID files in OverlayFS mount points
SELECT FullPath, Mode, Size, Mtime, Atime, User.uid, User.name
FROM glob(globs=['/**/merged/**', '/**/upper/**'], accessor='auto')
WHERE Mode =~ 's'

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Ubuntu Kernel Vulnerability Remediation Script
# Addresses USN-8297-1: CVE-2023-2640 and CVE-2023-32629

echo "Checking for Ubuntu kernel vulnerabilities..."
echo "Security Notice: USN-8297-1"
echo ""

# Check if running Ubuntu
if [ ! -f /etc/lsb-release ]; then
    echo "This system is not running Ubuntu. Exiting."
    exit 1
fi

# Get current Ubuntu version
. /etc/lsb-release
echo "Detected Ubuntu version: $DISTRIB_DESCRIPTION"
echo ""

# Check current kernel version
current_kernel=$(uname -r)
echo "Current kernel version: $current_kernel"
echo ""

# Check for OverlayFS mounts
echo "Checking for OverlayFS mounts..."
mount | grep overlay
echo ""

# Check for recent SUID files
echo "Checking for recently modified SUID files..."
find / -type f -perm -4000 -mtime -1 2>/dev/null | head -20
echo ""

# Apply security updates
echo "Applying security updates..."
sudo apt-get update

echo "Installing kernel security updates..."
sudo apt-get install -y linux-image-generic linux-headers-generic

echo ""
echo "For complete remediation details, visit:"
echo "https://ubuntu.com/security/notices/USN-8297-1"
echo ""
echo "Note: A system reboot is required to activate the new kernel."

Remediation

Immediate Actions

  1. Apply Security Update USN-8297-1

    • Run sudo apt update && sudo apt upgrade to apply the security update
    • Ensure the kernel package update includes the fixes for CVE-2023-2640 and CVE-2023-32629

  2. System Restart

    • A system reboot is required to load the updated kernel
    • Schedule this maintenance window appropriately to minimize impact

  3. Verify Patch Installation

    • After reboot, verify the kernel version with uname -r
    • Check that the installed kernel packages are the patched versions

  4. Review Local Access

    • Audit user accounts with local access to systems
    • Review logs for signs of privilege escalation attempts

Official Vendor Advisory

Workarounds

If immediate patching is not possible:

  • Restrict local access to systems, particularly for untrusted users
  • Monitor for suspicious file creation in OverlayFS mount points
  • Implement application allowlisting to prevent exploit execution
  • Restrict compilation tools (gcc, cc) to authorized users only

Additional Subsystem Fixes

This update also addresses vulnerabilities in:

  • ARM64 architecture
  • Block layer subsystem
  • Drivers core
  • Bluetooth drivers
  • DMA

Ensure these components are reviewed as part of your overall patch management strategy.

Timeline

  • CISA KEV Status: Not currently listed (as of initial publication)
  • Recommended Action: Patch within 72 hours for internet-facing or critical systems
  • Monitoring: Continue monitoring for 14 days post-patch for exploit attempts

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureubuntucve-2023-2640cve-2023-32629

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action