Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CVE-2023-0386 - OverlayFS Privilege Escalation Risk - Still Unpatched in Unraid 7.1.4

Featured Replies

Hi Unraid team,

I'd like to raise a security concern affecting the latest Unraid 7.1.4 release (2025-06-18).


⚠️ Vulnerability Context

Unraid systems (including 7.1.4) run Linux kernel 6.12.24-Unraid, which is still vulnerable to CVE-2023-0386 — a known local privilege escalation flaw in the OverlayFS filesystem.

This CVE is now:

  • Actively exploited in the wild (confirmed by CISA)

  • Patched in Linux 6.2-rc6+

  • Not mentioned or backported in 7.1.4’s changelog


How Unraid Is Affected

Unraid uses OverlayFS by default.

Here is a Proof-of-Vulnerability script:

#!/bin/bash
echo "=== OverlayFS Vulnerability Checker ==="

# 1. Show kernel version
echo -e "\n[+] Kernel version:"
uname -r

# 2. Check if OverlayFS is supported
echo -e "\n[+] OverlayFS support in kernel:"
cat /proc/filesystems | grep overlay && echo "OverlayFS is supported" || echo "OverlayFS NOT supported"

# 3. Check if OverlayFS is mounted
echo -e "\n[+] OverlayFS active mounts:"
mount | grep overlay

# 4. Show detailed mountinfo (proves upperdir/workdir are present)
echo -e "\n[+] Detailed OverlayFS mountinfo:"
cat /proc/self/mountinfo | grep overlay

# 5. Optional: check if module is loaded (informational only)
echo -e "\n[+] Kernel module status (optional):"
lsmod | grep overlay || echo "OverlayFS not a module or not listed in lsmod (could be built-in)"

echo -e "\n[!] If OverlayFS is mounted AND kernel version < 6.2 => System is vulnerable to CVE-2023-0386 unless patched.\n"

Result:

=== OverlayFS Vulnerability Checker ===

[+] Kernel version:
6.12.24-Unraid

[+] OverlayFS support in kernel:
nodev   overlay
OverlayFS is supported

[+] OverlayFS active mounts:
overlay on /usr type overlay (rw,relatime,lowerdir=/usr,upperdir=/var/local/overlay/usr,workdir=/var/local/overlay-work/usr,uuid=on)
overlay on /lib type overlay (rw,relatime,lowerdir=/lib,upperdir=/var/local/overlay/lib,workdir=/var/local/overlay-work/lib,uuid=on)

[+] Detailed OverlayFS mountinfo:
30 27 0:24 / /usr rw,relatime - overlay overlay rw,lowerdir=/usr,upperdir=/var/local/overlay/usr,workdir=/var/local/overlay-work/usr,uuid=on
34 31 0:27 / /lib rw,relatime - overlay overlay rw,lowerdir=/lib,upperdir=/var/local/overlay/lib,workdir=/var/local/overlay-work/lib,uuid=on

[+] Kernel module status (optional):
OverlayFS not a module or not listed in lsmod (could be built-in)

[!] If OverlayFS is mounted AND kernel version < 6.2 => System is vulnerable to CVE-2023-0386 unless patched.

This satisfies all CVE-2023-0386 exploit preconditions:

  • A malicious plugin or Docker container with basic file write access could escalate to root

  • It's a silent, local risk — no SUID or setcap needed


🧪 Confirmed:

  • Kernel: uname -r6.12.24-Unraid

  • OverlayFS in use: confirmed on /usr, /lib

  • No security fixes listed in 7.1.4 release notes


🔐 Suggested Actions

  1. Backport the OverlayFS fix from Linux 6.2-rc6 or later into 6.12.24-Unraid

  2. Clearly document any CVE-related patching in future changelogs

  3. Optionally provide a temporary advisory on unraid.net and encourage minimal plugin/container exposure for security-conscious users


📦 Supplemental Audit

I’ve written a lightweight script that checks for:

  • New or modified SUID binaries

  • Suspicious Linux capabilities

  • SHA256 hash changes to binaries under /usr, /lib, /etc

#!/bin/bash

# OverlayFS security audit script with SUID, capabilities, and SHA256 change detection
LOGFILE="/var/log/overlayfs_audit.log"
SUID_DB="/var/local/overlayfs_suid_baseline.txt"
CAP_DB="/var/local/overlayfs_caps_baseline.txt"
HASH_DB="/var/local/overlayfs_hashes_baseline.txt"
TMP_DIR="/tmp/overlayfs_audit_tmp"

# Directories to scan (expanded list)
SCAN_DIRS=("/usr" "/lib" "/etc" "/opt" "/bin")

mkdir -p "$TMP_DIR"
echo "=== OverlayFS Security Audit @ $(date) ===" >> "$LOGFILE"

# 1. Scan for new SUID files
echo "[*] Scanning for SUID binaries..." | tee -a "$LOGFILE"
find "${SCAN_DIRS[@]}" -xdev -perm -4000 -type f 2>/dev/null | sort > "$TMP_DIR/current_suid.txt"

if [ -f "$SUID_DB" ]; then
    echo "[*] Comparing with SUID baseline..." | tee -a "$LOGFILE"
    comm -13 "$SUID_DB" "$TMP_DIR/current_suid.txt" >> "$LOGFILE"
else
    echo "[!] No SUID baseline found. Creating new one." | tee -a "$LOGFILE"
    cp "$TMP_DIR/current_suid.txt" "$SUID_DB"
fi

# 2. Scan for files with capabilities
echo "[*] Scanning for files with Linux capabilities..." | tee -a "$LOGFILE"
getcap -r "${SCAN_DIRS[@]}" 2>/dev/null | sort > "$TMP_DIR/current_caps.txt"

if [ -f "$CAP_DB" ]; then
    echo "[*] Comparing capabilities with baseline..." | tee -a "$LOGFILE"
    comm -13 "$CAP_DB" "$TMP_DIR/current_caps.txt" >> "$LOGFILE"
else
    echo "[!] No capabilities baseline found. Creating new one." | tee -a "$LOGFILE"
    cp "$TMP_DIR/current_caps.txt" "$CAP_DB"
fi

# 3. SHA256 hash monitoring for tracked directories
echo "[*] Generating SHA256 file hashes..." | tee -a "$LOGFILE"
find "${SCAN_DIRS[@]}" -xdev -type f -exec sha256sum {} + 2>/dev/null | sort > "$TMP_DIR/current_hashes.txt"

if [ -f "$HASH_DB" ]; then
    echo "[*] Comparing hashes with baseline..." | tee -a "$LOGFILE"
    diff -u "$HASH_DB" "$TMP_DIR/current_hashes.txt" | grep -E '^\+|^-' | grep -vE '^\+\+\+|^---' >> "$LOGFILE"
else
    echo "[!] No hash baseline found. Creating new one." | tee -a "$LOGFILE"
    cp "$TMP_DIR/current_hashes.txt" "$HASH_DB"
fi

# Cleanup
rm -rf "$TMP_DIR"
echo "=== Audit complete ===" >> "$LOGFILE"
echo "Results saved to $LOGFILE"

Thanks for your hard work — Unraid is an amazing platform. Just wanted to raise this now that exploit activity is increasing and many users may not be aware this risk applies to home servers too.

If the Unraid dev team would like more info, feel free to reach out to me via LinkedIn or the Unraid forum — happy to help however I can.

Solved by limetech

Unraid is running kernel 6.12 which is greater than 6.2 so I should have the CVE patched.

I broke out the magnifying glass but couldn't find that pesky decimal place between the 1 and 2 in "12" 🧐 🤣

Kernel 6.1.9 (not subject to the CVE) was released back in 2022 BTW.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.