CVE-2025-32463 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.3 CRITICAL	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
mitre	CNA	9.3 CRITICAL				CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 95%

Vendor	Product	Version
sudo_project	sudo	1.9.14 ≤ 𝑥 < 1.9.17
sudo_project	sudo	1.9.17
canonical	ubuntu_linux	22.04
canonical	ubuntu_linux	24.04
canonical	ubuntu_linux	24.10
canonical	ubuntu_linux	25.04
debian	debian_linux	11.0
debian	debian_linux	12.0
debian	debian_linux	13.0
opensuse	leap	15.6
redhat	enterprise_linux	10.0
suse	linux_enterprise_real_time	15.0:sp2
suse	linux_enterprise_real_time	15.0:sp6
suse	linux_enterprise_real_time	15.0:sp7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

sudo

bullseye	1.9.5p2-3+deb11u1 not-affected
bookworm	1.9.13p3-1+deb12u2 not-affected
bullseye (security)	1.9.5p2-3+deb11u2 fixed
bookworm (security)	1.9.13p3-1+deb12u2 fixed
trixie	1.9.16p2-3 fixed
forky	1.9.17p2-1 fixed
sid	1.9.17p2-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

sudo

plucky	Fixed 1.9.16p2-1ubuntu1.1 released
oracular	Fixed 1.9.15p5-3ubuntu5.24.10.1 released
noble	Fixed 1.9.15p5-3ubuntu5.24.04.1 released
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

https://access.redhat.com/security/cve/cve-2025-32463

https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463

https://explore.alas.aws.amazon.com/CVE-2025-32463.html

https://security-tracker.debian.org/tracker/CVE-2025-32463

https://ubuntu.com/security/notices/USN-7604-1

https://www.openwall.com/lists/oss-security/2025/06/30/3

https://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-to-know-about-cve-2025-32462-and-cve-2025-32463/

https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

https://www.sudo.ws/releases/changelog/

https://www.sudo.ws/security/advisories/

https://www.sudo.ws/security/advisories/chroot_bug/

https://www.suse.com/security/cve/CVE-2025-32463.html

https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/

https://www.vicarius.io/vsociety/posts/cve-2025-32463-detect-sudo-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2025-32463-mitigate-sudo-vulnerability

https://iototsecnews.jp/2025/07/01/linux-sudo-chroot-vulnerability-enables-hackers-to-elevate-privileges-to-root/

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32463