DescriptionThe aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)buster4.19.249-2fixed
buster (security)4.19.282-1fixed
bullseye (security)5.10.179-1fixed
bookworm, sid6.1.27-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsourcewheezy(not affected)


[jessie] - linux <ignored> (Not exploitable in default configuration)
[wheezy] - linux <not-affected> (Vulnerable code is not present)
This depends on a user namespace creator being able to mount aufs.
jessie: Unprivileged users are not allowed to create user namespaces by default; aufs is not allowed to be mounted from a new user namespace by default.
wheezy: User namespaces are non-functional.

Search for package or bug name: Reporting problems