A security vulnerability (CVE-2025-32463) has been found in sudo that could be exploited to allow privilege escalation to root by any authorized user of the system who can execute shell commands. The attack does not require the attacker to have knowledge of the unprivileged user's password to execute; simply the ability to run sudo at all is sufficient. All versions of sudo beginning with 1.9.14 are affected, and there is no workaround or mitigation possible. The issue is patched in sudo version 1.9.17p1, released on June 30, 2025.

Affected versions

All Torizon OS 6 and Torizon OS 7 releases prior to June 30, 2025 (6.0.0 – 6.8.2, 7.0.0 – 7.2.0) are affected by this vulnerability.

What should I do?

Torizon OS users
Torizon OS 6.8.3 and Torizon OS 7.3.0, published July 25, 2025, both contain fixed versions of sudo and have been verified not to be vulnerable. If you are using an affected version of Torizon OS, we strongly recommend that you upgrade to these latest releases.

As of the publication date of this security notice, the release notes for these Torizon versions are not yet published. However, they are available both in Torizon Cloud and in the Toradex Easy Installer feeds.

Toradex BSP/Custom Yocto Linux distribution users
The default Toradex BSP Reference Images (Minimal and Multimedia) are not affected, as they do not include the sudo binary, and create by default only the root user. However, if your custom Linux image is built based on Kirkstone or Scarthgap Yocto releases (Toradex BSP version 6 or 7) and you have included sudo in your custom image, you are probably affected. We recommend auditing your image to determine if you have a vulnerable version, and patching/upgrading as soon as possible. The Kirkstone and Scarthgap branches of the Yocto Project meta-openembedded Layer have been updated as of July 16, 2025 with fixed versions of sudo.

Q&A:

• I don't have any unprivileged Linux user accounts on my device. Am I still affected?
  In principle, no. If you are absolutely certain that you do not have any unprivileged Linux user accounts, i.e. the only user on the device is root, you are not affected. However, note that most Linux distributions include the Name Service Switch, and allow users to be defined in places other than /etc/passwd, for example via nss-systemd. Check your /etc/nsswitch.conf; file for all potential places where users may be defined, and/or run compgen -u to see the current list of defined users on your system.
• I don't allow shell access at all on my device. Am I still affected?
  Possibly. The only preconditions for executing this attack are that the unprivileged user must be able to run the sudo binary and write files on the device. If you are following defense-in-depth best practices, like running applications and services with the least privilege they require, this sudo vulnerability strips away a very important layer of defense: any compromise of software running in an unprivileged user account that allows an attacker to execute arbitrary code will now also allow privilege escalation to root. Therefore, even if your non-root user accounts have login shells disabled, it is strongly recommended to update.
• The only unprivileged Linux user accounts on my device are inside application containers. Am I affected?
  With respect to the containerized software, probably not. Containers provide significant isolation and protection against this type of vulnerability. Exploiting this vulnerability would require first escaping the container and gaining access to the host system. However, it is still strongly recommended to update your base OS as a defense-in-depth precaution. Note your container image might itself include a vulnerable sudo binary; we recommend auditing your container's SBOM to verify whether this is the case. Debian Containers for Torizon are based on Debian stable releases, which do not contain a vulnerable version of sudo.
• I have a custom Linux based on the Toradex BSP reference image, and it includes sudo. If I update to the 7.3.0 or 6.8.3 tag in the Toradex manifest repo, will those tags include the fixed sudo as well?
  No. The fixes for 7.3.0 and 6.8.3 are backported into the Torizon OS layer, meta-toradex-torizon. If you are building a custom image, you will need to either backport the fix yourself, from the openembedded-core commits referenced above, or bump the openembedded-core layer to include those commits. The manifest for BSP 7.3.0 and 6.8.3 uses an openembedded-core version that does not contain the fix.