Sudo Project: community verdicts
3 notable / known-exploited Sudo Project CVEs the community has triaged.
ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Sudo Project CVE, see NVD ↗.
- CVE-2021-3156HIGH 7.8KEVEPSS 99%
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
- CVE-2025-32463CRIT 9.3KEVEPSS 47%
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
- CVE-2026-35535HIGH 7.4Real · low riskEPSS 0%
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.