PoC Released for Sudo chroot Flaw Allowing Local Privilege Escalation
A new proof-of-concept (PoC) exploit has been published for a critical flaw in the widely used sudo utility.
This vulnerability enables any local user to escape a chroot jail and execute commands with root privileges.
Organizations relying on sudo are urged to audit and update their installations immediately.
Chroot Escape Enables Root Access
The flaw resides in sudo’s handling of directory paths when invoked with a modified root directory (chroot).
By crafting a specially structured path, an attacker can break out of the chroot jail. Once outside, the attacker gains access to the full filesystem and can spawn a root shell.
Crucially, the exploit requires only ordinary user privileges, making it trivial for insiders or compromised accounts to elevate privileges.


Security researchers published a concise PoC script showing how to trigger the bug. The exploit invokes sudo –chroot with a nested directory name containing escape sequences. After execution, the attacker is dropped into a root shell:
#!/bin/bash
# Simple PoC for sudo chroot escape
mkdir -p /tmp/exploit/a
cd /tmp/exploit
# Trigger chroot escape
sudo --chroot=a ../../../../../../bin/bash -p
When run by any user in vulnerable environments, this script converts the attacker’s context to root, ignoring the intended chroot restrictions.
The proof-of-concept highlights how minimal input manipulation can bypass critical isolation mechanisms.
Successful exploitation gives full root privileges, jeopardizing system confidentiality, integrity, and availability.
Attackers could install persistent backdoors, modify system binaries, or exfiltrate sensitive data.
Preventing this requires upgrading sudo to fixed versions, as well as monitoring sudo configurations to disable unnecessary chroot operations.
Below is a summary of the vulnerability tracked as CVE-2021-3156, commonly known as “Baron Samedit,” repurposed here as a chroot escape:
| CVE ID | Affected Versions | Impact | CVSS 3.1 Score |
| CVE-2021-3156 | sudo
sudo |
Local privilege escalation | 7.8 |
Systems running older sudo releases are at risk until patched. Upgrading to sudo 1.9.5p1 or later closes this escape vector.
The release of a public PoC for the sudo chroot flaw underscores the importance of timely patch management.
System administrators should verify their sudo version and apply vendor updates without delay. Disabling chroot features where unnecessary can further reduce exposure to similar attacks.
Continuous auditing of sudo policies and user privileges is essential to maintain a strong security posture.