CVE-2021-3156: Heap-Based Buffer Overflow Vulnerability in sudo

On January 26, researchers at Qualys disclosed a vulnerability in sudo, a prominent program included in most Linux and Unix-like operating systems.

The vulnerability, identified as CVE-2021-3156, is a heap-based buffer overflow vulnerability in the way sudo treats command-line arguments. A local, non-privileged user could pass a specially crafted command-line argument to sudo in order to elevate to root privileges.

Based on code commits, it appears the vulnerability was first introduced on July 29, 2011 and exists in the following legacy releases and stable releases.

Legacy versions: 1.8.2 through 1.8.31p2

Stable releases: 1.9.0 through 1.9.5p1

Because the vulnerability persists in a program used by most Linux and Unix-like operating systems, updates to sudo are expected to be rolled out soon. We have compiled a list of advisories from vendors here. Please note that this is not an exhaustive list and will be updated when more advisories are published.

For our customers, associated plugins will appear here as they are released.