Debian Sudo vulnerabilities

CVE-2026-35535 [HIGH] CVE-2026-35535: sudo - In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgr... In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.9.17p2-5) sid: resolved (fixed in 1.9.17p2-5) trixie: open

CVE-2025-32462 [LOW] CVE-2025-32462: sudo - Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that i... Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines. Scope: local bookworm: resolved (fixed in 1.9.13p3-1+deb12u2) bullseye: resolved (fixed in 1.9.5p2-3+deb11u2) forky: resolved (fixed in 1.9.16p2-3) sid: resolved (fixed in 1.9.16p2-3) trixie:

CVE-2025-32463 [CRITICAL] CVE-2025-32463: sudo - Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswi... Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 1.9.16p2-3) sid: resolved (fixed in 1.9.16p2-3) trixie: resolved (fixed in 1.9.16p2-3)

CVE-2023-22809 [HIGH] CVE-2023-22809: sudo - In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra argument... In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a us

CVE-2023-27320 [HIGH] CVE-2023-27320: sudo - Sudo before 1.9.13p2 has a double free in the per-command chroot feature. Sudo before 1.9.13p2 has a double free in the per-command chroot feature. Scope: local bookworm: resolved (fixed in 1.9.13p3-1) bullseye: resolved forky: resolved (fixed in 1.9.13p3-1) sid: resolved (fixed in 1.9.13p3-1) trixie: resolved (fixed in 1.9.13p3-1)

CVE-2023-28487 [MEDIUM] CVE-2023-28487: sudo - Sudo before 1.9.13 does not escape control characters in sudoreplay output. Sudo before 1.9.13 does not escape control characters in sudoreplay output. Scope: local bookworm: resolved (fixed in 1.9.13p1-1) bullseye: resolved (fixed in 1.9.5p2-3+deb11u3) forky: resolved (fixed in 1.9.13p1-1) sid: resolved (fixed in 1.9.13p1-1) trixie: resolved (fixed in 1.9.13p1-1)

CVE-2023-7090 [MEDIUM] CVE-2023-7090: sudo - A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname fro... A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them. Scope: local bookworm: resolved (fixed in 1.8.28p1-1) bullseye: resolved (fixed in 1.8.28p1-1) for

CVE-2023-28486 [MEDIUM] CVE-2023-28486: sudo - Sudo before 1.9.13 does not escape control characters in log messages. Sudo before 1.9.13 does not escape control characters in log messages. Scope: local bookworm: resolved (fixed in 1.9.13p1-1) bullseye: resolved (fixed in 1.9.5p2-3+deb11u3) forky: resolved (fixed in 1.9.13p1-1) sid: resolved (fixed in 1.9.13p1-1) trixie: resolved (fixed in 1.9.13p1-1)

CVE-2023-42465 [HIGH] CVE-2023-42465: sudo - Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or ... Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.9.15p2-2) sid: resolved

CVE-2022-43995 [HIGH] CVE-2022-43995: sudo - Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins... Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and p

CVE-2021-3156 [HIGH] CVE-2021-3156: sudo - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based... Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. Scope: local bookworm: resolved (fixed in 1.9.5p1-1.1) bullseye: resolved (fixed in 1.9.5p1-1.1) forky: resolved (fixed in 1.9.5p1-1.1) sid: r

CVE-2021-23239 [LOW] CVE-2021-23239: sudo - The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged use... The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. Scope: local bookworm: resolved (fixed in 1.9.5-1) bullseye: resolved (fixed in 1.9.5-1) forky: resolved (fixed in 1.9.5-1) sid

CVE-2021-23240 [HIGH] CVE-2021-23240: sudo - selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivi... selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable. Scope: local bookworm: resolved (fixed in 1.9.5-1) bullseye:

CVE-2019-18634 [HIGH] CVE-2019-18634: sudo - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigg... In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long

CVE-2019-14287 [HIGH] CVE-2019-14287: sudo - In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can... In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. Scope: local bookworm: resolved (fixed i

CVE-2019-19232 [HIGH] CVE-2019-19232: sudo - In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account ca... In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional featur

CVE-2019-19234 [HIGH] CVE-2019-19234: sudo - In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using th... In Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. NOTE: The software maintainer believes that this CVE is not valid. Disabling local password authentication for

CVE-2017-1000368 [HIGH] CVE-2017-1000368: sudo - Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input valida... Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution. Scope: local bookworm: resolved (fixed in 1.8.20p1-1.1) bullseye: resolved (fixed in 1.8.20p1-1.1) forky: resolved (fixed in 1.8.20p1-1.1) sid: resolved (fixed in 1.

CVE-2017-1000367 [MEDIUM] CVE-2017-1000367: sudo - Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validati... Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. Scope: local bookworm: resolved (fixed in 1.8.20p1-1) bullseye: resolved (fixed in 1.8.20p1-1) forky: resolved (fixed in 1.8.20p1-1) sid: resolved (fixed in 1.8.20p1-1

CVE-2016-7032 [HIGH] CVE-2016-7032: sudo - sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass ... sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function. Scope: local bookworm: resolved (fixed in 1.8.15-1) bullseye: resolved (fixed in 1.8.15-1) forky: resolved (fixed in 1.8.15-1) sid: resolved (fixed in 1.8.15-1) trixie: resolved (fixed in