Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCanonical Ubuntu
OSCanonical22.0424.0424.1025.04Debian
OSDebian11.012.013.0Opensuse Leap
OSOpensuse15.6Red Hat Enterprise Linux
OSRedhat10.0Sudo Project Sudo
APPSudo Project1.9.171.9.14 – 1.9.17 (bez)SUSE Linux Enterprise Desktop
OSSuse15SUSE Linux Enterprise Real Time
OSSuse15.0SUSE Linux Enterprise Server For Sap
OSSuse12
CISA KEV — detailsi
- Vendori
- Sudo
- Producti
- Sudo
- Added to KEVi
- September 29, 2025
- Remediation deadline (US Federal)i
- October 20, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki
Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych