CVE-2023-1386: 
Linux Debian vulnerability analysis and mitigation

A flaw was discovered in the 9p passthrough filesystem (9pfs) implementation in QEMU, identified as CVE-2023-1386. The vulnerability was reported in July 2023 and affects QEMU's filesystem implementation. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped (NVD, Debian).

The vulnerability has a CVSS base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from the lack of proper handling of SUID and SGID bits during file write operations in the 9pfs implementation. The core misbehavior relates to permission bit inheritance for both newly created directories and files (GitHub Issue).

In rare circumstances, when an executable file owned by root is writable by others and has SUID/SGID bits set, this vulnerability could be exploited by malicious users in the guest to elevate their privileges within the guest environment. Additionally, it could potentially help a host local user to elevate privileges on the host system (Ubuntu, Red Hat).

As of January 2025, there is no official upstream fix available for this vulnerability. The suggested fix involves adding a check to kill SUID/SGID in v9fsfilewriteiter() or calling filemodified() in the same function. Additionally, dropping CAP_FSETID on every write operation, similar to what virtfs-proxy-helper does, could help mitigate the issue (GitHub Issue).