CVE-2021-3156: Baron Samedit Sudo Heap Overflow — Any Local User to Root
A heap buffer overflow in sudo present for nearly 10 years. Any unprivileged local user on any major Linux distribution can escalate to root without credentials, without sudo permissions, without a race condition.
CVE-2021-3156, named Baron Samedit by Qualys, is a heap buffer overflow in sudo — the Unix utility installed by default on virtually every Linux distribution and macOS. The vulnerability was introduced in July 2011 and remained undetected for nearly 10 years before Qualys disclosed it January 26, 2021. Any unprivileged local user can exploit it to obtain root privileges on the host — without being listed in the sudoers file, without knowing any password, and without exploiting any race condition.
Qualys confirmed working exploits against default installations of Ubuntu 20.04, Ubuntu 18.04, Debian 10, and Fedora 33. The vulnerability was patched the same day it was disclosed, but any system that has not applied the update remains fully exploitable by any local user account — including service accounts typically used as initial footholds via web shells or compromised services.
How the Heap Overflow Works in sudo Shell Mode
When sudo is invoked in shell mode (via sudo -s or sudo -i), it preprocesses command-line arguments before executing them. This preprocessing escapes special characters by inserting backslash sequences. The routine allocates a heap buffer to hold the escaped arguments and determines the required buffer size based on the argument count and lengths.
The bug exists in the size calculation: when arguments end with backslash sequences, sudo miscounts the required buffer size — allocating less memory than the actual escaped output requires. The subsequent character-by-character copy overflows the allocated heap buffer, writing attacker-influenced data into adjacent heap memory. Through controlled heap layout manipulation, an attacker corrupts heap management structures in a way that redirects execution to attacker-controlled code running as root. The exploit requires no timing precision — it is deterministic and reliable on first attempt.
Obtain any local user access
The exploit requires any local user account on the target system. Common entry points include web shells from exploited web applications, compromised service accounts, or lateral movement from another compromised host.
Invoke sudo in shell mode with crafted arguments
Execute sudo with arguments crafted to trigger the heap size miscalculation. The specific argument structure varies by exploitation technique but causes sudo to undercount the required buffer size for the escaped argument output.
Trigger heap overflow
sudo copies escaped arguments into the undersized buffer, overflowing into adjacent heap memory. The overflow corrupts heap metadata or function pointers in adjacent allocations in a controllable way.
Achieve root code execution
The corrupted heap structures redirect execution to attacker-controlled code. The resulting process runs as root — providing full system access, persistence installation, and lateral movement capability.
Scope: Every Major Linux Distribution for 10 Years
The vulnerable code was present in sudo versions 1.8.2 through 1.9.5p1 — covering releases from July 2011 through January 2021. Every major Linux distribution shipped affected versions by default: Ubuntu LTS releases going back to 12.04, Debian stable releases, RHEL and CentOS 7 and 8, Fedora, SUSE, Arch, and Alpine. macOS systems with Homebrew-installed sudo were also affected.
The local attack vector is the primary factor keeping the CVSS score at 7.8 rather than Critical. But in practice, local access is routinely achieved through web application vulnerabilities, malicious packages, or phishing — making the distinction less meaningful for actual attack chains. Ransomware operators and APT groups use exactly this pattern: gain initial access as a low-privilege account, use a local privilege escalation vulnerability to achieve root, then move laterally or deploy ransomware.
“We have developed multiple variants of the exploit and have been able to obtain full root privileges on Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). Other operating systems and distributions are likely also exploitable.”
— Qualys Security Advisory, CVE-2021-3156, January 2021
Patching and Detecting CVE-2021-3156
The sudo project released version 1.9.5p2 (current branch) and 1.8.32 (legacy branch) on January 26, 2021 — the same day as Qualys's disclosure. All major distributions published updated packages the same day.
Update sudo immediately via package manager
Ubuntu/Debian: apt-get update && apt-get install sudo. RHEL/CentOS: yum update sudo or dnf update sudo. Fedora: dnf update sudo. Arch: pacman -Syu sudo. Verify the version with sudo --version — look for 1.9.5p2 or 1.8.32 or later.
Update container base images
Any container image based on Ubuntu, Debian, or CentOS includes vulnerable sudo. Rebuild all container images with updated base images and redeploy. A vulnerable sudo in a container with elevated privileges or host-mounted volumes represents a container escape path.
Audit sudo usage across the environment
Review sudoers configuration across all hosts. Reduce permissions to least-privilege: prefer specific command allowlists over blanket ALL grants. The fewer permissions sudo users have, the lower the value of future sudo vulnerabilities — but patching is required regardless of sudoers configuration.
Monitor for suspicious sudo invocations
Configure auditd rules to log all sudo executions. Alert on sudo invocations from accounts that do not normally use sudo, particularly service accounts (www-data, nginx, postgres). Unexpected root process spawning from non-administrative accounts warrants immediate investigation.
The bottom line
Baron Samedit illustrates how a parsing bug in a security-critical utility can sit undetected for a decade, affecting every major operating system simultaneously. Sudo is trusted precisely because it controls privilege escalation — a vulnerability in sudo that bypasses its own permission model is uniquely damaging.
The correct mental model for local privilege escalation vulnerabilities: assume that any persistent threat actor with initial access to any user account on a Linux host will attempt to escalate to root. The combination of initial access through application vulnerabilities and LPE through vulnerabilities like CVE-2021-3156 is a standard and reliable attack chain. Patching is the only fix — no sudoers configuration prevents exploitation of this vulnerability.
Frequently asked questions
What is CVE-2021-3156 (Baron Samedit)?
Baron Samedit is a heap buffer overflow in sudo where argument preprocessing in shell mode miscounts the required buffer size, allowing an attacker to corrupt heap memory and escalate to root. It requires no sudo permissions, no password, and no race condition — any local user account is sufficient.
Does CVE-2021-3156 require sudo permissions?
No. The vulnerable code path runs before sudo checks whether the user is permitted to use sudo. Any local user on the system — including service accounts and web server users — can exploit it regardless of sudoers configuration.
How serious is CVE-2021-3156?
CVSS 7.8 High due to local attack vector, but extremely impactful in practice. Any post-exploitation foothold — web shell, compromised service account, supply chain access — becomes instant root access. Qualys built working exploits for Ubuntu 20.04, 18.04, Debian 10, and Fedora 33 within 24 hours.
How do I patch CVE-2021-3156?
Update sudo via your package manager to version 1.9.5p2 (current branch) or 1.8.32 (legacy branch). Verify with: sudo --version. On Ubuntu/Debian: apt-get update && apt-get install sudo. On RHEL/CentOS: yum update sudo or dnf update sudo.
Is CVE-2021-3156 exploited in the wild?
Yes. Proof-of-concept exploits were published publicly shortly after Qualys's disclosure. The vulnerability's reliability and presence on every major Linux distribution made it a high-value post-exploitation tool for ransomware operators and APTs.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.