Cyber Resilience

CVE-2021-3156

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 January 2021

Published
26 January 2021
Modified
10 November 2025
KEV Added
06 April 2022
Patch
14 September 2021
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9930 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2021-3156 is a high-severity Off-by-one Error (CWE-193) vulnerability in Sudo Project Sudo. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

Sudo before version 1.9.5p2 is affected by an off-by-one error that produces a heap-based buffer overflow, tracked as CVE-2021-3156 and assigned CWE-193. The flaw resides in the command-line argument handling path used by sudoedit when invoked with the -s flag.

Local attackers who are already permitted to run sudoedit can trigger the overflow by supplying a command-line argument that terminates with a single backslash character, resulting in full root privilege escalation on the host. The vulnerability carries a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Public exploit code demonstrating the issue against multiple Sudo releases has been posted to Packet Storm, confirming that working proof-of-concept attacks exist for versions prior to the 1.9.5p2 fix.

EU & UK References

Vulnerability details

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

CWE(s)
KEV Date Added
06 April 2022

Related Threats

CVEs Like This One

CVE-2020-1472Same product: Debian Debian Linuxboth on KEV
CVE-2023-4911Same product: Debian Debian Linuxboth on KEV
CVE-2025-24813Same product: Debian Debian Linuxboth on KEV
CVE-2021-44228Same product: Debian Debian Linuxboth on KEV
CVE-2024-10442Same product: Synology Diskstation Manager
CVE-2022-0847Same product: Fedoraproject Fedoraboth on KEV
CVE-2025-0411Same product: Netapp Active Iq Unified Managerboth on KEV
CVE-2024-54085Same product class: NAS / storage applianceboth on KEV
CVE-2025-26465Same product: Debian Debian Linux
CVE-2024-45538Same product: Synology Diskstation Manager

Affected Assets

sudo project
sudo
1.9.5 · 1.8.2 — 1.8.32 · 1.9.0 — 1.9.5
fedoraproject
fedora
32, 33
debian
debian linux
10.0, 9.0
netapp
active iq unified manager
all versions
netapp
cloud backup
all versions
netapp
hci management node
all versions
netapp
oncommand unified manager core package
all versions
netapp
ontap select deploy administration utility
all versions
netapp
ontap tools
9
netapp
solidfire
all versions
+14 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the sudo 1.9.5p2 patch that eliminates the off-by-one heap overflow.

prevent

Enforces least-privilege sudoers rules so that only the minimal set of users can ever invoke sudoedit, shrinking the local attacker population.

prevent

Allows disabling or restricting the sudoedit binary and its -s flag entirely when those features are not required, blocking the vulnerable code path.

References