An attacker with a low-privileged user on a Linux machine with an overlay mount which has a file capability in one of its layers may escalate his privileges up to root when copying a capable file from a nosuid mount into another mount. This vulnerability is similar to the CVE-2021-3847, but requires less permissions to run, so higher priority. The steps to reproduce:

1. Mount a FUSE filesystem that exposes a root owned setuid/setgid binary that is world writable.
2. unshare user/mount namespaces
3. mount an overlay with the FUSE fs as the lower dir, and a user writable upper dir (as usual). Make sure that the upper dir is on a filesystem that is not mounted with `nosuid`. 
4. touch the file at the merged path to update its mtime, which will trigger a copy-up of the file
5. the setuid/gid bitsare not cleared by the kernel, so the upper directory will contain a copy of the binary with the setuid bits.
6. run the binary from the upper dir and it will run as root

The previous CVE-2021-3847 involves file capabilities (xattrs). Xattrs have special rules with user namespaces, so the copied up file will not have capabilities that are valid on the host. The "new" bug makes use of setgid/setuid bits, which are not user-namespace specific. CVE-2021-3847 also specifically talks about USB mounts, which requires physical access and is disabled in most production environments. FUSE on the other hand does not require physical access, and is installed in many production environments (Ubuntu out of the box, RH/Fedora if any number of popular packages are installed).

To recap: the existing reproducer (POC) for this one escalates privileges to root if FUSE is installed on the system, and if unprivileged overlayfs mounts are allowed (i.e., any kernel 5.11+ with unprivileged user namespaces enabled).

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a

Reference for the previous similar CVE-2021-3847:
https://www.openwall.com/lists/oss-security/2021/10/14/3