CVE-2025-32463: 
Wolfi vulnerability analysis and mitigation

CVE-2025-32463 is a critical local privilege escalation vulnerability in Sudo versions 1.9.14 to 1.9.17. The vulnerability allows local users to obtain root access by exploiting Sudo's -R (--chroot) option, even when they are not listed in the sudoers file. The flaw was discovered in June 2025 and was assigned a CVSS score of 9.3 (Critical) (Ubuntu Security, Sudo Advisory).

The vulnerability stems from a change made in Sudo 1.9.14 where paths are resolved within the chroot environment before evaluating the sudoers file. An attacker can exploit this by creating a malicious /etc/nsswitch.conf file under a user-specified root directory, which instructs Sudo to load arbitrary shared libraries like libnss_/woot1337.so.2. This implementation flaw allows for path resolution manipulation during the sudoers file evaluation process (Openwall, Security Online).

The vulnerability enables any local user to execute arbitrary commands with root privileges, effectively bypassing all security controls in the sudoers file. This represents a critical security breach as it allows complete system compromise by local users, regardless of their assigned permissions (NVD, Security Online).

The vulnerability has been fixed in Sudo version 1.9.17p1. The fix reverts the changes made in version 1.9.14 and deprecates the --chroot feature entirely. The patch removes the pivot_root() logic, making it impossible to call chroot() during command matching. System administrators are strongly advised to upgrade to version 1.9.17p1 or later (Sudo Advisory, Openwall).

The vulnerability has received significant attention due to its critical severity and the widespread use of Sudo in Unix-like systems. Major Linux distributions, including Ubuntu, have issued high-priority security advisories and patches. The security community has emphasized the importance of immediate patching due to the ease of exploitation and the availability of proof-of-concept code (Ubuntu Security, Security Online).