Rapid7
Back to Blog
Threat Research

Rapid7 Analysis: CVE-2021-3156 "Baron Samedit"

Rapid7 Labs
Rapid7 Labs
|Last updated on Jun 16, 2026|2 min read

Description

On Tuesday, January 26, 2021, the Qualys Research Team published a blog post on CVE-2021-3156, a privilege escalation vulnerability in the sudo command that enables any local user to gain root privileges without using a password, even if the user is not listed in the sudoers file. The vulnerability arises from a heap-based buffer overflow when unescaping backslashes in a supplied command’s arguments. The vulnerable code was introduced in July 2011 and affects most Linux-based operating systems. See the project maintainers’ advisory on the vulnerability for further details.

Affected Products

According to the advisory, legacy versions of sudo from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1 are vulnerable in their default configurations. Depending on the Linux distribution, the version number might be different. Please check the Guidance section for details.

Rapid7 analysis

CVE-2021-3156 is a local privilege escalation vulnerability, which means an attacker requires existing access to a target (such as through remote code execution) in order to exploit the bug. Exploitation is achieved by invoking the sudoedit -s command to reach the vulnerable code and perform an out-of-bounds (OOB) write in heap memory. Upon successful exploitation, the attacker would gain root access, resulting in full compromise of the system.

At the time of this writing, a crash PoC is available from Qualys. Rapid7 researchers have reliably reproduced the crash using the supplied PoC. The advisory contains enough technical detail to develop the PoC into an exploit. Researchers will have to bypass any memory protections in place, though the bug allows for a great amount of control over the OOB write, reducing the burden of exploitation. It is only a matter of time before exploits begin to surface.

Guidance

Rapid7 recommends that sudo users update to version 1.9.5p2 immediately. The legacy release stream 1.8.x has not yet received a critical bug fix for CVE-2021-3156. There is no effective mitigation for this vulnerability. Patched versions are listed below.

Official maintainer:

  • Stable release has been patched in version 1.9.5p2: https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2
  • Legacy release has not been patched already: https://www.sudo.ws/legacy.html

Linux distributions:

  • Ubuntu: https://ubuntu.com/security/CVE-2021-3156
  • Debian: https://security-tracker.debian.org/tracker/CVE-2021-3156
  • RHEL: https://access.redhat.com/security/cve/CVE-2021-3156
  • Fedora: https://bodhi.fedoraproject.org/updates/FEDORA-2021-2cb63d912a
  • Arch Linux: https://security.archlinux.org/CVE-2021-3156
  • Gentoo: https://security.gentoo.org/glsa/202101-33

References

  • https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
  • https://www.sudo.ws/alerts/unescape_overflow.html
LinkedInFacebookXBluesky

Article Tags

Rapid7 Labs
Rapid7 Labs
Author Posts