Description
In shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, several locations which shift ids translate user/group ids before performing operations in the lower filesystem were translating them into init_user_ns, whereas they should have been translated into the s_user_ns for the lower filesystem. This resulted in using ids other than the intended ones in the lower fs, which likely did not map into the shifts s_user_ns. A local attacker could use this to possibly bypass discretionary access control permissions.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Google Security Research · textdoslinux
https://www.exploit-db.com/exploits/47693
References (3)
Scores
CVSS v3
6.5
EPSS
0.0003
EPSS Percentile
9.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-276
CWE-538
Status
published
Products (4)
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
linux/linux_kernel
5.0
linux/linux_kernel
5.3
Published
Apr 24, 2020
Tracked Since
Feb 18, 2026