{"id":"CVE-2019-18684","details":"Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write \"ALL ALL=(ALL) NOPASSWD:ALL\" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers","modified":"2026-04-10T04:16:08.331870Z","published":"2019-11-04T16:15:11.437Z","references":[{"type":"EVIDENCE","url":"https://gist.github.com/oxagast/51171aa161074188a11d96cbef884bbd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/millert/sudo","events":[{"introduced":"0"},{"last_affected":"6b83a6eee0bbbe654eb54d5a1fcf149ee1da173d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.8.29"}]}}],"versions":["SUDO_1_3_0","SUDO_1_3_1","SUDO_1_4_0","SUDO_1_5_0","SUDO_1_5_1","SUDO_1_5_2","SUDO_1_5_3","SUDO_1_5_4","SUDO_1_5_6","SUDO_1_5_7","SUDO_1_5_8","SUDO_1_5_9","SUDO_1_6_0","SUDO_1_6_1","SUDO_1_6_2","SUDO_1_6_3","SUDO_1_6_4","SUDO_1_6_5","SUDO_1_6_6","SUDO_1_6_7","SUDO_1_6_8","SUDO_1_6_8p1","SUDO_1_7_0","SUDO_1_7_1","SUDO_1_7_2","SUDO_1_8_0","SUDO_1_8_1","SUDO_1_8_10","SUDO_1_8_10p1","SUDO_1_8_10p2","SUDO_1_8_10p3","SUDO_1_8_11","SUDO_1_8_11p1","SUDO_1_8_11p2","SUDO_1_8_12","SUDO_1_8_13","SUDO_1_8_14","SUDO_1_8_14p1","SUDO_1_8_14p3","SUDO_1_8_15","SUDO_1_8_16","SUDO_1_8_17","SUDO_1_8_17p1","SUDO_1_8_18","SUDO_1_8_18p1","SUDO_1_8_19","SUDO_1_8_19p1","SUDO_1_8_19p2","SUDO_1_8_2","SUDO_1_8_20","SUDO_1_8_20p1","SUDO_1_8_20p2","SUDO_1_8_21","SUDO_1_8_21p1","SUDO_1_8_21p2","SUDO_1_8_22","SUDO_1_8_23","SUDO_1_8_24","SUDO_1_8_25","SUDO_1_8_25p1","SUDO_1_8_26","SUDO_1_8_27","SUDO_1_8_28","SUDO_1_8_28p1","SUDO_1_8_29","SUDO_1_8_3","SUDO_1_8_4","SUDO_1_8_4p1","SUDO_1_8_4p2","SUDO_1_8_4p3","SUDO_1_8_4p4","SUDO_1_8_4p5","SUDO_1_8_5","SUDO_1_8_5p1","SUDO_1_8_5p2","SUDO_1_8_5p3","SUDO_1_8_6","SUDO_1_8_6p1","SUDO_1_8_6p2","SUDO_1_8_6p3","SUDO_1_8_6p4","SUDO_1_8_6p5","SUDO_1_8_6p6","SUDO_1_8_6p7","SUDO_1_8_6p8","SUDO_1_8_7","SUDO_1_8_8","SUDO_1_8_9","SUDO_1_8_9p1","SUDO_1_8_9p2","SUDO_1_8_9p3","SUDO_1_8_9p4","SUDO_1_8_9p5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18684.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}