Sudoproject Sudo

Sudo 1.9.17p1: sudoers host filter bypass for unintended hosts
CVE-2025-32462 2.8 - Low - June 30, 2025

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

AuthZ

Sudo <1.9.17p1 LPE via chroot /etc/nsswitch.conf
CVE-2025-32463 9.3 - Critical - June 30, 2025

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

Inclusion of Functionality from Untrusted Control Sphere

sudo IPA Hostname Privilege Escalation via Unpropagated ipa_hostname
CVE-2023-7090 8.8 - High - December 23, 2023

A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them.

Improper Privilege Management

Sudo <1.9.15: Row Hammer Bug Enables Auth Bypass
CVE-2023-42465 - December 22, 2023

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.

Sudo <1.9.13 Control Character Leak in sudoreplay
CVE-2023-28487 5.3 - Medium - March 16, 2023

Sudo before 1.9.13 does not escape control characters in sudoreplay output.

Output Sanitization

Sudo log message vuln before 1.9.13: Control chars not escaped
CVE-2023-28486 5.3 - Medium - March 16, 2023

Sudo before 1.9.13 does not escape control characters in log messages.

Output Sanitization

Sudo 1.9.13p2 Double Free in Per-Command Chroot
CVE-2023-27320 7.2 - High - February 28, 2023

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

Double-free

Priv Escalation via sudoedit (SUDO_EDITOR '--') before 1.9.12p2
CVE-2023-22809 7.8 - High - January 18, 2023

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

Improper Privilege Management

Sudo 1.8.0-1.9.12 OOB Heap Buf Over-Read via pass.c Auth
CVE-2022-43995 7.1 - High - November 02, 2022

Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.

Out-of-bounds Read

Sudo before 1.9.5p2 contains an off-by-one error
CVE-2021-3156 7.8 - High - January 26, 2021

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

off-by-five

The sudoedit personality of Sudo before 1.9.5 may
CVE-2021-23239 2.5 - Low - January 12, 2021

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

insecure temporary file

selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5
CVE-2021-23240 7.8 - High - January 12, 2021

selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.

insecure temporary file

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users
CVE-2019-18634 - January 29, 2020

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program"
CVE-2005-4890 - November 04, 2019

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process
CVE-2019-18684 - November 04, 2019

Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account
CVE-2019-14287 - October 17, 2019

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.
CVE-2017-1000367 6.4 - Medium - June 05, 2017

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.

Race Condition

Sudo before 1.6.6 contains an off-by-one error
CVE-2002-0184 - May 16, 2002

Sudo before 1.6.6 contains an off-by-one error that can result in a heap-based buffer overflow that may allow local users to gain root privileges via special characters in the -p (prompt) argument, which are not properly expanded.