so.cl

All these are mostly the same: Overlayfs can be mounted inside a user namespace, but the security checks and value validation when copying up files and their metadata from the lower to the upper layer inside the user namespace were not sufficient. As software evolves, such things can happen.

This allows unprivileged users to abuse Overlayfs: by creating a user namespace, gain certain capabilities, mount the overlayfs file system, change file attributes of binaries, initiate the copy up, and finaly execute from the initial user namespace to gain full privileges. Prevent Overlayfs Privilege Escalation on Ubuntu Kernels with Yaml (bpf)