CVE-2025-32463

What is Sudo?

sudo (Super User Do) is one of the most fundamental security tools on Linux and Unix systems, installed by default on virtually every Linux distribution. It enables authorized users to execute commands as other users (typically root) with granular policy control defined in the /etc/sudoers file. Because sudo runs as SUID root and is used across millions of Linux servers, desktops, containers, and cloud instances, a privilege escalation vulnerability in sudo has effectively universal impact across the Linux ecosystem. This is the fifth major sudo privilege escalation vulnerability in recent years (following Baron Samedit CVE-2021-3156, etc.).

Overview

CVE-2025-32463 is a critical local privilege escalation vulnerability (CWE-829, CVSS 9.3) in sudo versions 1.9.14 through 1.9.17. The sudo -R <dir> (chroot) option — introduced in 1.9.14 — causes sudo to chroot into a user-specified directory before completing security checks. After chrooting, sudo reads NSS (Name Service Switch) configuration and loads shared libraries from within the attacker-controlled chroot directory. Since sudo runs as root when loading these libraries, any local user can achieve arbitrary code execution as root by placing a malicious shared library in a world-writable chroot directory — regardless of what the /etc/sudoers policy permits. CISA added it to the KEV catalog in September 2025 after exploitation was confirmed.

Affected Versions

The --chroot / -R option was introduced in sudo 1.9.14 and did not exist in prior versions. Sudo 1.9.17p1 completely reverts/deprecates the chroot feature.

Technical Details

The vulnerability (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) exploits sudo's -R <dir> option. The attack chain:

1. Attacker creates a malicious chroot directory in a world-writable location (e.g., /tmp/exploit/).
2. Attacker populates the chroot: places a crafted nsswitch.conf (pointing to a malicious NSS module name) and a malicious shared library (e.g., libnss_pwent.so) in the chroot's library path.
3. Attacker invokes sudo with -R: sudo -R /tmp/exploit/ <any_command>
4. Sudo chroots into the attacker's directory before completing policy evaluation. It then reads /tmp/exploit/etc/nsswitch.conf and loads the NSS libraries referenced there — from the attacker's controlled directory.
5. Since sudo is running as root (SUID), loading the malicious shared library executes the library's constructor (__attribute__((constructor)) function) as root, achieving arbitrary root code execution.

Critically, this works even if the user has no sudo privileges at all in /etc/sudoers. The chroot happens before the sudoers policy check, so the policy is never reached. The CVSS Privileges:None (PR:N) rating reflects this — any local user can invoke sudo -R.

The CVSS Scope:Changed (S:C) reflects that code execution as root crosses the privilege boundary from the local user context into the system's security boundary.

Discovery

Discovered by Rich Mirch. CVE assigned April 8, 2025; publicly disclosed June 30, 2025 after coordinated disclosure.

Exploitation Context

Confirmed in-the-wild exploitation; CISA added CVE-2025-32463 to the KEV catalog on 29 September 2025 — approximately 3 months after public disclosure. Multiple public PoC exploits exist on GitHub. CVE-2025-32463 is particularly dangerous on shared Linux systems (multi-user servers, cloud instances, Kubernetes nodes) where local user access is granted to multiple parties. No specific named threat actor has been publicly attributed, but the low exploitation barrier (any local user) makes this a common post-exploitation LPE tool.

Remediation

1. Update sudo to 1.9.17p1 or later — this completely removes the vulnerable chroot feature. Apply via your Linux distribution's package manager: apt upgrade sudo, yum update sudo, dnf upgrade sudo, etc.
2. Verify the installed version: sudo --version — confirm it shows 1.9.17p1 or higher.
3. If running sudo 1.9.14–1.9.17 and cannot immediately upgrade: disable the chroot feature by removing or restricting world-writable directories that local users could use to create chroot environments. Note this is not a complete fix — upgrading is required.
4. Audit local user accounts on affected systems: CVE-2025-32463 requires local access, making it an LPE for attackers who already have any local account.
5. This vulnerability affects a wide range of Linux distributions — verify your distribution has released the patched package and apply it across all systems.