Critical Sudo Bugs Expose Major Linux Distributions to Local Root Exploits
Cybersecurity researchers have disclosed two critical vulnerabilities in the Sudo command-line utility for Linux and Unix-like operating systems, exposing major distributions to local root exploits. The Stratascale Cyber Research Unit (CRU) team discovered both local privilege vulnerabilities, which can be exploited by local attackers to gain root access on affected systems.
About Sudo
Sudo, short for "superuser do," is a command-line utility found in Unix and Linux systems. It allows a permitted user to run commands with the security privileges of another user, most commonly the root user (the system's most powerful administrative account). The utility has been widely adopted in enterprise environments due to its flexibility and ease of use.
The First Vulnerability: CVE-2025-32462
The first vulnerability discovered by the CRU team is a critical flaw in the Sudo utility, stemming from the --host option introduced in version 1.8.8 in 2013. The --host option was originally meant only for listing rules (sudo -l), but it also worked with other commands like sudoedit.
However, this oversight allows users to run commands with elevated privileges by referencing remote host rules. Specifically, enterprise configurations using Host or Host_Alias directives can exploit this vulnerability to execute arbitrary commands on the local machine. For example, if a user runs a command with the --host option referencing an unrelated remote host rule, Sudo treats the rule as valid for the local system, allowing any command allowed by the remote host rule to be executed locally.
"The Stratascale CRU team discovered that since the introduction of the host option in 2013, executing a sudo or sudoedit command with the host option referencing an unrelated remote host rule causes Sudo to treat the rule as valid for the local system. As a result, any command allowed by the remote host rule can be executed on the local machine," reads the report published by Stratascale.
The Second Vulnerability: Arbitrary Shared Library Loading
The second vulnerability discovered by the CRU team is related to Sudo's -R (–chroot) option, which allows users to run a command with a user-selected root directory if the sudoers file allows it. However, this feature has been marked as deprecated due to its error-prone nature and lack of widespread use.
In sudo 1.9.14, a change was made to resolve paths via chroot() using the user-specified root directory while the sudoers file was still being evaluated. However, this change allowed an attacker to trick Sudo into loading an arbitrary shared library by creating an /etc/nsswitch.conf file under the user-specified root directory.
"The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1 and the chroot feature has been marked as deprecated," reads the advisory published by Sudo project maintainers. "Because of the way sudo resolves commands, supporting a user-specified chroot directory is error-prone and this feature does not appear to be widely used."
Patch Availability
Rich Mirch from Stratascale Cyber Research Unit (CRU) reported the vulnerability to Sudo maintainer Todd Miller on April 1st, 2025. A patch was sent to operating system distros list on June 23, 2025, with Sudo advisory links confirmed.
Conclusion
The discovery of these critical vulnerabilities in Sudo highlights the importance of regular security audits and updates for Linux distributions. Local attackers can exploit these vulnerabilities to gain root access on affected systems, compromising system security and integrity.
It is essential for system administrators and developers to stay informed about these vulnerabilities and apply the available patches as soon as possible to prevent potential attacks.