Wiz
Vulnerability DatabaseCVE-2023-42465

CVE-2023-42465
NixOS vulnerability analysis and mitigation

Overview

CVE-2023-42465 affects Sudo versions before 1.9.15, where a vulnerability exists that could allow row hammer attacks for authentication bypass or privilege escalation. The vulnerability stems from application logic that bases decisions on not equaling an error value instead of equaling a success value, and because the values used do not resist flips of a single bit (NVD, MITRE).

Technical details

The vulnerability involves the potential for bit flips in stack and register variables through fault injection, which can affect execution flow in security-sensitive code. The issue specifically relates to how authentication checks were implemented, where code would check if a value was not equal to an error state rather than explicitly checking for a success state. This implementation made the system susceptible to row hammer attacks that could flip bits in memory (ArXiv Paper). The vulnerability has a CVSS v3.1 base score of 7.0 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

Successful exploitation of this vulnerability could lead to authentication bypass or privilege escalation. An attacker could potentially gain unauthorized access or elevated privileges by manipulating memory bits through row hammer attacks (Gentoo Advisory, NetApp Advisory).

Mitigation and workarounds

The vulnerability has been fixed in Sudo version 1.9.15 and later. The fix involves using ROWHAMMER-resistant values for authentication states (ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR, and AUTH_NONINTERACTIVE) and implementing explicit checks for expected values instead of using negated tests against error values (Sudo Release). Users are advised to upgrade to the latest version of Sudo to protect against this vulnerability.

Community reactions

The vulnerability was discovered by researchers from the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute. The discovery led to various Linux distributions releasing security advisories and patches, including Fedora and Gentoo (Fedora Update, Gentoo Advisory).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-69264CRITICAL9.8
  • JavaScriptJavaScript
  • pnpm
NoYesJan 07, 2026
CVE-2025-69263HIGH8.8
  • JavaScriptJavaScript
  • pnpm
NoYesJan 07, 2026
CVE-2025-69262HIGH7.8
  • JavaScriptJavaScript
  • pnpm
NoYesJan 07, 2026
CVE-2025-20807MEDIUM6.7
  • NixOSNixOS
  • android
NoNoJan 06, 2026
CVE-2026-21885MEDIUM6.5
  • NixOSNixOS
  • miniflux
NoYesJan 08, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo