A critical vulnerability identified as CVE-2025-32463 has been disclosed in the widely used Linux Sudo utility, affecting versions 1.9.14 through 1.9.17. This flaw allows any local, unprivileged user to escalate privileges to root without needing existing sudo permissions or special configurations. The vulnerability, which carries a CVSS score of high (Critical), impacts default configurations on popular Linux distributions including Ubuntu and Fedora. It originates from changes introduced in Sudo v1.9.14 (June 2023) related to the handling of command matching in conjunction with the chroot (-R) option.

The vulnerability was discovered by Cyber Research Unit and involves misuse of the Name Service Switch (NSS) system via the chroot feature. In the attack, an unprivileged user creates a chroot environment in a writable directory and places a malicious /etc/nsswitch.conf file within it. When Sudo is executed with the -R flag, it changes its root directory to this environment and loads the NSS configuration from the attacker's version. By pointing NSS to a malicious shared object library (e.g., libnss_woot1337.so.2), the attacker can inject code that runs with root privileges.

The proof-of-concept exploit demonstrates how an attacker can easily create such a shared library using gcc -shared -fPIC, and include a constructor function that elevates the process's privileges (via setreuid(0, 0) and setregid(0, 0)) and spawns a root shell (/bin/bash). What makes this flaw exceptionally dangerous is that it works even in a default Sudo setup, requiring no prior configuration changes or permission adjustments. The only requirements for exploitation are an unprivileged user account and access to a writable directory.

There is no workaround for this vulnerability. The only effective mitigation is to immediately upgrade to Sudo version 1.9.17p1 or later, in which the chroot option has been deprecated and the vulnerable pivot_root() and unpivot_root() functions have been removed. Security researchers have validated the exploit on Ubuntu 24.04.1 and Fedora 41, confirming its reliability. System administrators are strongly urged to patch affected systems without delay to prevent exploitation in real-world environments.