Local Privilege Escalation via chroot option

An attacker can leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.

Sudo versions 1.9.14 to 1.9.17 inclusive are affected.

This vulnerability has been assigned CVE-2025-32463 in the Common Vulnerabilities and Exposures database.

Sudo’s -R (--chroot) option is intended to allow the user to run a command with a user-selected root directory if the sudoers file allows it. A change was made in sudo 1.9.14 to resolve paths via chroot() using the user-specified root directory while the sudoers file was still being evaluated. It is possible for an attacker to trick sudo into loading an arbitrary shared library by creating an /etc/nsswitch.conf file under the user-specified root directory.

The change from sudo 1.9.14 has been reverted in sudo 1.9.17p1 and the chroot feature has been marked as deprecated. It will be removed entirely in a future sudo release. Because of the way sudo resolves commands, supporting a user-specified chroot directory is error-prone and this feature does not appear to be widely used.

A more detailed description of the bug and its effects can be found in the Stratascale advisory.

On systems that support /etc/nsswitch.conf a user may be able to run arbitrary commands as root.

The bug is fixed in sudo 1.9.17p1.

Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for reporting and analyzing the bug. His advisory may be found at https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot.