Sudo local privilege escalation vulnerabilities fixed (CVE-2025-32462, CVE-2025-32463)

If you haven’t recently updated the Sudo utility on your Linux box(es), you should do so now, to patch two local privilege escalation vulnerabilities (CVE-2025-32462, CVE-2025-32463) that have been disclosed on Monday.

What is Sudo?

Sudo is command-line utility in Unix-like operating systems that allows a low-privilege user to execute a command as another user, typically the root/administrator user.

The utility effectively grants temporary elevated privileges without requiring the user to log in as root.

The user needs to authenticate themselves with their password and, if they are permitted by the configuration file (typically /etc/sudoers), the system will execute the requested command.

The vulnerabilities (CVE-2025-32462, CVE-2025-32463)

Both vulnerabilities have been reported by Rich Mirch of the Stratascale Cyber Research Unit.

CVE-2025-32462, a low-severity elevation of privilege (EOP) vulnerability in the Sudo host option, has been present in Sudo’s code for over 12 years.

“Sudo’s host (-h or –host) option is intended to be used in conjunction with the list option (-l or –list) to list a user’s sudo privileges on a host other than the current one. However, due to a bug it was not restricted to listing privileges and could be used when running a command via sudo or editing a file with sudoedit,” Sudo maintainers explained.

Mirch noted that CVE-2025-32462 relies on a specific (yet common) configuration where Sudo rules are restricted to certain hostnames or hostname patterns. “If these conditions are met, privilege escalation to root requires no exploit.”

CVE-2025-32462 affects stable (v1.9.0 – 1.9.17) and legacy (v1.8.8 – 1.8.32) versions of Sudo.

CVE-2025-32463 is a critical-severity flaw in the Sudo chroot option that could be exploited by local users to achieve root access on the underlying system.

“Sudo’s -R (–chroot) option is intended to allow the user to run a command with a user-selected root directory if the sudoers file allows it,” Sudo’s maintainers explained.

Unfortunately, a change that was introduced in Sudo v1.9.14 “to resolve paths via chroot() using the user-specified root directory while the sudoers file was still being evaluated.”

This permits an attacker to trick Sudo into loading an arbitrary shared library by creating an /etc/nsswitch.conf file under the user-specified root directory. (This works only on systems that support /etc/nsswitch.conf.)

CVE-2025-32463 affects Sudo versions 1.9.14 to 1.9.17. The legacy versions of Sudo are not vulnerable because, because the chroot feature is not included.

Mirch shared more details about the flaw and their successful exploitation attempts here.

What to do?

Stratascale CTU has verified that the vulnerabilities can be exploited on popular Linux distros such as Ubuntu and Fedora, and on macOS Sequoia (macOS is a Unix-based operating system).

Both CVE-2025-32462 and CVE-2025-32463 have been fixed in version 1.9.17p1, released in early June 2025.

Since Sudo is installed by default on many popular Linux desktop distributions, you should check if the one you’re using has offered updated Sudo packages with the fix – Ubuntu, Debian, and SUSE already have.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!