A new report says nearly 40% of Ubuntu users are vulnerable to a pair of kernel vulnerabilities unique to Ubuntu and its derivative distributions.

According to Wiz researchers Sagi Tzadik and Shir Tamari, the issues stem from Ubuntu’s OverlayFS module. Several years ago, Ubuntu made custom modifications to OverlayFS. When combined with the changes made to the mainline Linux kernel, however, vulnerabilities in Ubuntu were overlooked, as the researchers describe:

The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in the Linux kernel, however due to Ubuntu’s modifications, an additional vulnerable flow was never fixed in Ubuntu. This shows the complex relationship between Linux kernel and distro versions, when both are updating the kernel for different use cases. This complexity poses hard-to-predict risks.

The researchers say that Ubuntu’s modifications pose serious risks to users:

Our team has discovered significant flaws in Ubuntu’s modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. Linux has a feature called “file capabilities” that grants elevated privileges to executables while they’re executed. This feature is reserved for the root user, while lower-privileged users cannot create such files. However, we discovered that it’s possible to craft an executable file with “scoped” file capabilities and trick the Ubuntu kernel into copying it to a different location with “unscoped” capabilities, granting anyone who executes it root-like privileges.

Fortunately, the researchers say that remote exploitation of these vulnerabilities — labeled CVE-2023-2640 and CVE-2023-32629 — is “improbable,” and local access to a machine is likely required.

However, all users should update their kernel as soon as possible to mitigate these two security issues.