CVE-2025-32463

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://access.redhat.com/security/cve/cve-2025-32463
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463
https://explore.alas.aws.amazon.com/CVE-2025-32463.html
https://security-tracker.debian.org/tracker/CVE-2025-32463
https://ubuntu.com/security/notices/USN-7604-1
https://www.openwall.com/lists/oss-security/2025/06/30/3
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
https://www.sudo.ws/releases/changelog/
https://www.sudo.ws/security/advisories/
https://www.suse.com/security/cve/CVE-2025-32463.html
https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/

Configurations

No configuration.

History

01 Jul 2025, 20:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/security/cve/cve-2025-32463 - () https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463 - () https://explore.alas.aws.amazon.com/CVE-2025-32463.html - () https://security-tracker.debian.org/tracker/CVE-2025-32463 - () https://ubuntu.com/security/notices/USN-7604-1 - () https://www.suse.com/security/cve/CVE-2025-32463.html - () https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/ -
Summary		(es) Sudo anterior a 1.9.17p1 permite a los usuarios locales obtener acceso root porque /etc/nsswitch.conf desde un directorio controlado por el usuario se utiliza con la opción --chroot.

30 Jun 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-30 21:15

Updated : 2025-07-03 15:14

NVD link : CVE-2025-32463

Mitre link : CVE-2025-32463

CVE.ORG link : CVE-2025-32463

JSON object : View

Products Affected

No product.

CWE

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

9.3 /10