Why the Critical Sudo Vulnerability (CVE‑2021‑3156) Went Unpatched for 10 Years

"This may be the most urgent sudo vulnerability in recent times."

Security researchers at Qualys discovered a severe flaw in sudo that allows any local user to gain root privileges without authentication.

What kind of vulnerability

The bug is a heap‑buffer overflow caused by improper escaping of backslashes in sudo when invoked with -s or -i. The incorrect handling can overflow the buffer and grant root access.

The vulnerability is identified as CVE‑2021‑3156, also known as "Baron Samedit".

Typically, using sudo -s or sudo -i causes sudo to escape special characters. However, the -s or -i flags can also invoke sudoedit , where special characters are not escaped, leading to a buffer overflow.

Researchers successfully obtained full root privileges on multiple Linux distributions, including Ubuntu 20.04 (sudo 1.8.31), Debian 10 (sudo 1.8.27) and Fedora 33 (sudo 1.9.2). Qualys notes that other Linux versions are likely vulnerable as well.

Vulnerability existed for 10 years

The flaw has been present since July 2011, introduced by commit 8255ed69 . It affected all stable sudo versions from 1.9.0 to 1.9.5p1 and older 1.8.x releases with default configurations.

Before Qualys published the details, sudo had already released a fix. Upgrading to sudo 1.9.5p2 or newer mitigates the risk.

How to test if your sudo version is vulnerable

Log in as a non‑root user and run: sudoedit -s / If the system is vulnerable, the command returns an error starting with sudoedit:. Patched systems show an error beginning with usage:.

Why was it unpatched for a decade?

One reason is that many bug reports for tools like sudo are never properly tested. Without sufficient evidence, maintainers may not prioritize fixing the issue. Additionally, patches are often released without thorough testing, risking incomplete fixes or new bugs.

There is also no formal review process for user‑submitted patches in the sudo project, leading to delays.

For ordinary users, there is no perfect solution other than staying vigilant, keeping systems updated, and limiting untrusted user access.

References: https://www.theregister.com/2021/01/26/qualys_sudo_bug/ https://news.ycombinator.com/item?id=25919235 https://bit.ly/36hvlal