Critical Sudo Vulnerability Allows Root Privilege Escalation in Linux

Red Dog Security

2 min read
Critical Sudo Vulnerability Allows Root Privilege Escalation in Linux

Two vulnerabilities have been discovered in the widely used sudo utility, enabling local attackers to escalate privileges to root on affected Linux systems.

The flaws—identified by security researchers at Stratascale—include a newly discovered 12-year-old bug. One of the vulnerabilities (CVE-2025-32462) has existed in the sudo codebase since 2013, while the second (CVE-2025-32463) presents a critical escalation vector requiring minimal user permissions.

Overview of the Vulnerabilities

  • CVE-2025-32462
    CVSS score: 2.8
    Affects sudo versions prior to 1.9.17p1 when the sudoers configuration references a host other than the current system or ALL. This issue can result in unintended command execution on unauthorized machines.
  • CVE-2025-32463
    CVSS score: 9.3
    Affects all sudo versions before 1.9.17p1. It allows local users to gain root access by exploiting the -R (chroot) option and a user-controlled /etc/nsswitch.conf file.

CVE-2025-32462: A 12-Year-Old Logic Flaw

The first vulnerability involves the -h (host) flag, originally intended to list sudo privileges for a remote host. Introduced in September 2013, the feature was never supposed to impact actual command execution—only the -l (list) output.

However, the flaw enables users to run commands on the local machine that are only permitted for a different host. This poses a risk for environments using a shared sudoers file across multiple systems.

“This primarily affects sites using a shared sudoers file across multiple machines,” explained Todd C. Miller, sudo's longtime maintainer. “LDAP-based sudoers configurations (including SSSD) are also impacted.”

CVE-2025-32463: Critical Root Escalation via Chroot

The more severe of the two vulnerabilities lies in the -R (chroot) option, which allows users to specify an alternative root directory. Under default configurations, attackers can abuse this option to trick sudo into loading a malicious shared library via a crafted /etc/nsswitch.conf file.

“The default sudo configuration is vulnerable,” the researchers warned. “Exploitation does not require any specific sudoers rules. Any local, unprivileged user can escalate to root.”

By creating a custom root environment and manipulating dynamic link resolution, attackers can achieve arbitrary command execution as the root user—even without explicit sudo privileges.

Patches, Mitigations, and Recommendations

Todd Miller has confirmed that the chroot functionality will be deprecated entirely in future releases, noting that user-specified root directories are “inherently prone to errors.”

The vulnerabilities were disclosed on April 1, 2025, and addressed in sudo version 1.9.17p1, released in late June. Major Linux distributions have published security advisories, including:

CVE-2025-32462:

  • Affects: AlmaLinux 8/9, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, Ubuntu

CVE-2025-32463:

  • Affects: Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, SUSE, Ubuntu

All users and administrators are strongly advised to update sudo to version 1.9.17p1 or later. Failure to patch these vulnerabilities could result in unauthorized root-level access, particularly in multi-user or enterprise environments.

While CVE-2025-32462 is lower in severity, CVE-2025-32463 represents a significant risk and should be prioritized for remediation.

Read more