CVE-2021-3493

Summary

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

Affected Software

VendorProductVersion RangeStatus
Ubuntulinux kernel5.8 kernel < 5.8.0-50.56affected
Ubuntulinux kernel5.4 kernel < 5.4.0-72.80affected
Ubuntulinux kernel4.15 kernel < 4.15.0-142.146affected
Ubuntulinux kernel4.4 kernel < 4.4.0-209.241affected

Weaknesses

  • CWE-270: CWE-270: Privilege Context Switching Error

Workarounds

Disable unprivileged user namespaces.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References