CVE-2021-3156

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

Published: Jan 26, 2021
Updated: Nov 11, 2025
CVE: CVE-2021-3156
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-193

Affected Software
References

Software	From	Fixed in
sudo_project / sudo	1.9.5-patch1	1.9.5-patch1.x
sudo_project / sudo	1.9.0	1.9.5
sudo_project / sudo	1.9.5	1.9.5.x
sudo_project / sudo	1.8.2	1.8.32
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
mcafee / web_gateway	8.2.17	8.2.17.x
mcafee / web_gateway	9.2.8	9.2.8.x
mcafee / web_gateway	10.0.4	10.0.4.x
synology / diskstation_manager	6.2	6.2.x
synology / diskstation_manager_unified_controller	3.0	3.0.x
beyondtrust / privilege_management_for_mac	-	21.1.1
beyondtrust / privilege_management_for_unix/linux	-	10.3.2-10
oracle / micros_compact_workstation_3_firmware	310	310.x
oracle / micros_es400_firmware	400	410.x
oracle / micros_kitchen_display_system_firmware	210	210.x
oracle / micros_workstation_5a_firmware	5a	5a.x
oracle / micros_workstation_6_firmware	610	655.x
oracle / tekelec_platform_distribution	7.4.0	7.7.1.x
oracle / communications_performance_intelligence_center	10.4.0.1.0	10.4.0.3.1.x
oracle / communications_performance_intelligence_center	10.3.0.0.0	10.3.0.2.1.x
netapp / ontap_tools	9	9.x

Vulnerability Database

300,214

CVE-2021-3156

Deep Security Visibility Without the Complexity