Sudo Project Sudo vulnerabilities

CVE-2026-35535 [HIGH] CWE-271 CVE-2026-35535: In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

CVE-2025-32463 [CRITICAL] CWE-829 CVE-2025-32463: Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

CVE-2025-32462 [LOW] CWE-863 CVE-2025-32462: Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the curren Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

CVE-2023-7090 [MEDIUM] CWE-269 CVE-2023-7090: A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.con A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. Therefore, it leads to privilege mismanagement vulnerability in applications, where client hosts retain privileges even after retracting them.

CVE-2023-42465 [HIGH] CVE-2023-42465: Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.

CVE-2023-28486 [MEDIUM] CWE-116 CVE-2023-28486: Sudo before 1.9.13 does not escape control characters in log messages. Sudo before 1.9.13 does not escape control characters in log messages.

CVE-2023-28487 [MEDIUM] CWE-116 CVE-2023-28487: Sudo before 1.9.13 does not escape control characters in sudoreplay output. Sudo before 1.9.13 does not escape control characters in sudoreplay output.

CVE-2023-27320 [HIGH] CWE-415 CVE-2023-27320: Sudo before 1.9.13p2 has a double free in the per-command chroot feature. Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-22809 [HIGH] CWE-269 CVE-2023-22809: In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem e

CVE-2022-43995 [HIGH] CWE-125 CVE-2022-43995: Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system librarie

CVE-2021-3156 [HIGH] CWE-193 CVE-2021-3156: Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, wh Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

CVE-2021-23240 [HIGH] CWE-59 CVE-2021-23240: selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain f selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable.

CVE-2021-23239 [LOW] CWE-59 CVE-2021-23239: The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitra The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

CVE-2019-18634 [HIGH] CWE-787 CVE-2019-18634: In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buf In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs

CVE-2019-18684 [HIGH] CWE-362 CVE-2019-18684: Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descrip Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a passw

CVE-2005-4890 [HIGH] CWE-20 CVE-2005-4890: There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - use There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

CVE-2019-14287 [HIGH] CWE-755 CVE-2019-14287: In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain poli In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

CVE-2016-7076 [MEDIUM] CWE-184 CVE-2016-7076: sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.

CVE-2015-8239 [HIGH] CWE-362 CVE-2015-8239: The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write per The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.

CVE-2017-1000368 [HIGH] CWE-20 CVE-2017-1000368: Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newli Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.