id: CVE-2025-32463 info: name: Sudo - Local Privilege Escalation via chroot author: SeungAh-Hong severity: critical description: | Sudo before 1.9.17p1 allows local users to obtain root access by using /etc/nsswitch.conf from a user-controlled directory with the --chroot (-R) option. impact: | A local attacker can escalate privileges to root by placing a crafted nsswitch.conf file and a malicious NSS library in a writable chroot directory, enabling arbitrary code execution with root privileges. remediation: | Upgrade sudo to version 1.9.17p1 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-32463 - https://www.sudo.ws/security/advisories/chroot_bug/ - https://ubuntu.com/security/CVE-2025-32463 - https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 - https://explore.alas.aws.amazon.com/CVE-2025-32463.html classification: cve-id: CVE-2025-32463 epss-score: 0.57345 epss-percentile: 0.98188 cvss-score: 9.3 cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cwe-id: CWE-426 metadata: verified: true tags: cve,cve2025,sudo,priv-esc,linux,lpe,kev,vkev self-contained: true flow: code(1) && code(2) code: - engine: - sh - bash source: | whoami matchers: - type: word part: response words: - "root" negative: true - engine: - sh - bash source: | OUT="$(sudo -n -R woot woot 2>&1 || true)" printf "%s\n" "$OUT" matchers-condition: and matchers: - type: regex part: response regex: - '(?i).*woot.*no such file or directory.*' - type: dsl dsl: - "!contains(tolower(response), 'password')" - "!contains(tolower(response), 'a password is required')" - "!contains(tolower(response), 'is not in the sudoers file')" # digest: 4a0a0047304502201582ce2a65aaf806f01233e7e30a3de61c16e9771ce19a0344e29d3bafb240d90221009006c31fa30a0e6430cbcbdff1471e720c9d614db3bcf955f5ac2e6f3a269097:922c64590222798bb761d5b6d8e72950