Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability

Added Sept. 29, 2025 • Due Oct. 20, 2025 • CVE-2025-32463

Overdue Sudo / Sudo CWE-829

Description

Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.

Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://www.sudo.ws/security/advisories/chroot_bug/
https://nvd.nist.gov/vuln/detail/CVE-2025-32463

Additional Information

Catalog Version: 2025.09.29
Catalog Released: Sept. 29, 2025
Days Until Due: 0 days
Last Updated: 1 month, 3 weeks ago