IRONSMITHINTEL
HIGHCVSS7.8
|
Actively Exploited
|CISA KEV|CVE-2021-3156|Auth: low — authenticated user|Reboot: required|Manual only

Sudo Heap-Based Buffer Overflow Vulnerability

Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation.

Published Jan 26, 2021 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A local attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-04-27 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Software Vulnerability (CWE-193) (CWE-193) vulnerability in Sudo Sudo. Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. Exploitation requires local access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running sudo: 1.8.2 ≤ v < 1.8.32, 1.9.0 ≤ v < 1.9.5, 1.9.5; fedora: 32, 33; debian linux: 9.0, 10.0; active iq unified manager: -; cloud backup: -; hci management node: -; oncommand unified manager core package: -; ontap select deploy administration utility: -; ontap tools: 9; solidfire: -; web gateway: 8.2.17, 9.2.8, 10.0.4; diskstation manager unified controller: 3.0; diskstation manager: 6.2; skynas firmware: -; vs960hd firmware: -; privilege management for mac: v < 21.1.1; privilege management for unix\/linux: v < 10.3.2-10; micros compact workstation 3 firmware: 310; micros es400 firmware: 400 ≤ v ≤ 410; micros kitchen display system firmware: 210; micros workstation 5a firmware: 5a; micros workstation 6 firmware: 610 ≤ v ≤ 655; communications performance intelligence center: 10.3.0.0.0 ≤ v ≤ 10.3.0.2.1, 10.4.0.1.0 ≤ v ≤ 10.4.0.3.1; tekelec platform distribution: 7.4.0 ≤ v ≤ 7.7.1
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/161160/Sudo-Heap-Based-Buffer-Overflow.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: http://www.openwall.com/lists/oss-security/2021/09/14/2
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-3156
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3156
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-3156NVDVendor Advisory