Overview
CVE-2021-3156, nicknamed "Baron Samedit" by Qualys, is a heap-based buffer overflow in sudo — the utility that allows controlled delegation of root commands — that allows any unprivileged local user to gain a full root shell. No entry in /etc/sudoers is required, no password prompt is triggered, and no special privileges are needed. The vulnerability was present in sudo versions 1.8.2 through 1.9.5p1, spanning nearly ten years from July 2011 to January 2021.
What Is sudo?
sudo ("superuser do") is the standard mechanism on Linux and macOS for allowing specified users to run commands as root or another user, governed by the /etc/sudoers policy file. It is installed by default on virtually every Linux server and workstation and is a critical piece of system administration infrastructure. Because sudo is setuid root — it must run as root to be able to switch users — a bug in its argument handling can be leveraged for privilege escalation by any local user.
Affected Versions
The vulnerable code path was introduced in sudo 1.8.2 (July 2011), when shell-mode argument unescaping was added.
| Version Range | Status |
|---|---|
| sudo 1.8.2 – 1.9.5p1 | Vulnerable |
| sudo 1.9.5p2 | Fixed |
| sudo < 1.8.2 | Not affected |
Affected distributions (at time of disclosure): Ubuntu 14.04–20.10, Debian 9/10/11, RHEL/CentOS 6/7/8, Fedora, SUSE, macOS with sudo installed. Essentially every Linux server and macOS system with sudo in the affected version range.
Technical Details
Root Cause: Off-by-One in Shell-Mode Argument Unescaping
When sudo is invoked in "shell mode" (via sudo -s or sudo -i), it processes command-line arguments to escape shell metacharacters: any \ at the end of a token is removed and the next character is escaped. This behavior is implemented in the set_cmnd() function.
The bug is an off-by-one error in how set_cmnd() calculates the buffer size needed to hold the escaped argument string. The size calculation counts the number of characters that require escaping but fails to account for one additional byte needed for the trailing null terminator in a specific edge case. The result is a heap buffer allocated one byte too small, with subsequent writes overflowing the allocated region.
Triggering the Bug
The classic trigger is sudoedit invoked with a shell-mode flag — a path that sudoedit was never intended to handle, but which the argument processing code reaches:
sudoedit -s '\' $(python3 -c 'print("A"*65536)')
This causes set_cmnd() to allocate a buffer sized for the argument, then write one byte past the end — a classic heap overflow that can be leveraged to corrupt adjacent heap metadata and achieve arbitrary code execution as root.
Notably, sudoedit -s is a nonsensical invocation — sudoedit has no shell mode. The code path was unintentionally reachable, and the existence of the overflow was masked by a later error that prevented normal exploitation signals.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local — requires an existing user session |
| Privileges Required | None — any user account |
| sudoers Entry Required | No — the vulnerable code runs before policy is checked |
| Authentication Required | No password is prompted |
| Race Condition Required | No — deterministic heap overflow |
| Platforms Affected | Linux (all major distros), BSD, macOS with affected sudo |
The absence of a sudoers requirement is the critical point: even a freshly created, unprivileged account with no sudo access can exploit this to become root.
Discovery
The Qualys Research Team discovered Baron Samedit during a routine code audit of sudo. Qualys confirmed working exploits on:
- Ubuntu 20.04 (sudo 1.8.31)
- Ubuntu 20.10 (sudo 1.9.3)
- Debian 10 (sudo 1.8.27)
- Fedora 33 (sudo 1.9.2)
Qualys coordinated disclosure with the sudo maintainer (Todd Miller) and major distribution vendors, achieving synchronized patch releases across most major distributions on the same day as public disclosure: January 26, 2021.
Exploitation Context
Baron Samedit received immediate public attention due to its ubiquity — sudo is present on virtually every Linux system — and its accessibility to any local user regardless of sudo policy.
- Public exploits: Multiple working proof-of-concept exploits appeared within days of disclosure
- No sudo access needed: Made it particularly dangerous for shared hosting environments, university systems, and multi-tenant servers
- Jump server relevance: Sudo is present on nearly every Linux bastion host as a standard administration tool; Baron Samedit means any unprivileged shell session (e.g., a service account running a compromised application) can become root
- KEV listing: CISA added it over 14 months after disclosure (April 2022), confirming continued exploitation activity long after patches were available
- macOS exposure: macOS systems using the system sudo were affected; Apple addressed it in macOS Big Sur 11.2 and security updates for Catalina/Mojave
Remediation
Recommended Actions
-
Update sudo to version 1.9.5p2 or later. Verify with
sudo --version. -
Apply distribution patches:
- Ubuntu:
apt update && apt upgrade sudo - RHEL/CentOS:
yum update sudo - Debian:
apt update && apt upgrade sudo - macOS: Apply Apple Security Update 2021-001
- Ubuntu:
-
Verify the fix: Run the following — a vulnerable system will crash or hang; a patched system will return "usage" output:
sudoedit -s '\' $(python3 -c 'print("A"*65536)') -
Audit sudo usage: Review
/etc/sudoersand/etc/sudoers.d/for over-broad grants. Even after patching, following the principle of least privilege reduces blast radius from future sudo vulnerabilities.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-3156 |
| Vendor / Product | Sudo — Sudo |
| NVD Published | 2021-01-26 |
| NVD Last Modified | 2025-11-10 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-193 — Off-by-one Error |
| CISA KEV Added | 2022-04-06 |
| CISA KEV Deadline | 2022-04-27 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2011-07-01 | Vulnerability introduced in sudo 1.8.2 with addition of shell-mode argument unescaping |
| 2021-01-13 | Qualys Research Team discovers the vulnerability |
| 2021-01-19 | Qualys notifies the sudo maintainers and coordinates disclosure |
| 2021-01-26 | Coordinated public disclosure; sudo 1.9.5p2 released with fix; Qualys advisory published |
| 2021-01-26 | CVE-2021-3156 published in NVD |
| 2022-04-06 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-27 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2021-3156 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Qualys Security Advisory — Baron Samedit: Heap-Based Buffer Overflow in Sudo | Security Research |
| Sudo Security Advisory — Heap-based buffer overflow in argument unescaping | Vendor Advisory |
| Red Hat Security Advisory — CVE-2021-3156 | Vendor Advisory |
| Ubuntu Security — CVE-2021-3156 | Vendor Advisory |
| CVE-2021-3156 Public PoC (blasty) | Security Research |
| CWE-193 — Off-by-one Error | Weakness Classification |