Summary

A Linux kernel bug in overlayfs can lead to a dangerous root privilege escalation. Overlayfs combines two layers, upper and lower, in a filesystem. Changes to lower-layer files are reflected in the upper layer, but things get tricky when upper and lower directories are in different user namespaces. By creating a lower directory in their user namespace, an attacker with fake root privileges can make a root-owned setuid binary. When this binary is copied into a world-writable directory like /tmp, it becomes a real root-owned setuid binary. This opens a pathway for running attacker-controlled code as the root user, posing a significant security risk.

Description