Millions of Linux systems worldwide, including those running critical services, are potentially vulnerable to a new, easy-to-exploit sudo flaw that allows unauthorized users to run commands as root on Ubuntu, Fedora, and other servers.
Sudo is a utility that allows users to run commands as the root or superuser on Linux machines. Two critical flaws affecting sudo were discovered by the Stratascale Cyber Research Unit (CRU) team.
Security researchers warn that any user can quickly gain unrestricted access. Attackers can exploit this, run arbitrary commands as root, and completely take over the system.
The bug first appeared in version 1.9.14, released in June 2023, and was fixed in the latest sudo version 1.9.17p1, released on June 30th, 2025. The exploitation has been verified on Ubuntu and Fedora Servers, but may include many more systems.
“These vulnerabilities can result in the escalation of privileges to root on the impacted system,” the report reads.
They urge administrators to install the latest sudo packages as soon as possible, as no other workarounds exist.
“The default sudo configuration is vulnerable,” Rich Mirch from Stratascale Cyber Research Unit explains.
The researchers released proof-of-concept code publicly, and other teams were able to replicate the findings.
Vulnerability involves the sudo chroot feature
The critical flaws lie in the seldom-used chroot option in sudo. This option modifies the working root directory for a specific process and limits access to the rest of the file system.
While it is intended to lock users in their home directory, the flaws allow them to break out and elevate their privileges. Exploiting the flaws does not require any sudo rules to be defined for the user.
“As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed,” the researcher said.
To exploit this flaw, attackers would need to create a /etc/nsswitch.conf file under the user-specified root directory and trick sudo into loading the arbitrary shared library. This file defines how the system resolves user accounts, groups, hostnames, services, etc.
Sudo maintainers confirmed the issue and deprecated the chroot option in version 1.9.17p1.
“An attacker can leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file,” they said in an advisory.
Mirch’s script demonstrates how an unprivileged attacker can create a temporary directory, add a file with a function to grant itself full root access, compile a malicious shared library that would load it, and then trick sudo with the chroot option to execute it with elevated privileges. Thus, the attacker can effectively take full control of the system.
Due to the risks of making the environment less secure, it is recommended that admins avoid using chroot options.
“Search your environment for any use of the chroot option. Review all Sudo rules defined in /etc/sudoers, and files under /etc/sudoers.d. If the Sudo rules are stored in LDAP, use tools such as ldapsearch to dump the rules,” Mirch writes.
Millions of systems may be affected by this bug. German publication heise.de even discovered freshly installed Ubuntu virtual machines at a large German cloud hosting provider that are still vulnerable to the flaw, despite a patch being available.
Your email address will not be published. Required fields are markedmarked