Security word over a beacon on a Macbook pro screen

macOS 26.1 Release Patches Critical Sudo Privilege Escalation Vulnerabilities

By Nathan Pabon on November 3, 2025

Apple’s latest macOS 26.1 release delivers critical security fixes addressing two long-standing vulnerabilities in the sudo command-line utility—CVE-2025-32462 and CVE-2025-32463. These flaws, present for more than a decade, could allow attackers to gain unauthorized root access and fully compromise affected systems.

Without this critical fix, malicious actors with unauthorized root access can lead to severe system compromise, data theft, or complete system control.  

This update is highly recommended for all users to ensure the integrity and security of their systems and should be advised to update promptly.

What is sudo?

Sudo is a command in Linux and macOS that allows a user to execute a command as another user, usually the root user. It asks for the password of a user that has the right permissions to execute a command. Who or what can use the sudo command is defined in the /private/etc/sudoers directory (in macOS) as well as which commands can be run.

Why the macOS 26.1 release matters

Any weakness in sudo has a cascading impact on security posture – especially in enterprise and managed environments. For organizations managing fleets of macOS devices, these vulnerabilities represent a serious escalation risk that can undermine endpoint integrity and access controls.

Sudo Privilege Escalation Vulnerabilities

Stratascale’s Cyber Research Unit discovered two privilege escalation vulnerabilities relating to the sudo command that appear to have been present for over 12 years. These vulnerabilities have been dubbed CVE-2025-32462 and CVE-2025-32463. 

What is the Sudo Host Option Elevation of Privilege – CVE-2025-32462

This sudo vulnerability was publicly disclosed on June 30, 2025 and is rated as high severity. It affects sudo versions 1.9.0 – 1.9.17 and 1.8.8 – 1.8.32. The issue lies with the implementation of the host (-h or –host) option but certain conditions must be met.  

Running a command with the host option specifying an unrelated remote host than the one being operated on would cause sudo to treat the rule as valid for the local system. 

However, the sudoers file would have to be configured in a particular way for this to occur. For example, in the case a development host was more permissive with sudo actions as opposed to the production server. A user could specify the host of the development server in a sudo command while operating on the production server and gaining root access. 

Stratascale details a technical breakdown of this vulnerability and proof of concept in their article.

What is the Sudo chroot Elevation of Privilege – CVE-2025-32463

This sudo vulnerability was publicly disclosed on June 30, 2025 and is rated as high severity. It affects versions 1.9.14 – 19.17. Versions of sudo before and including 1.8.32 are not vulnerable as the chroot function did not exist then. The issue stems from the introduction of the chroot feature in 1.9.14 which allows a user to specify the root directory. 

With this functionality, a user could call chroot with root privileges to a location that they control. The attacker could place a fake /etc/nsswitch.conf file and a maliciously crafted library, such as libnss_ldap.so, in that prepared directory to trick sudo into running the arbitrary code in that library file as root.

Stratascale has an article and proof of concept available explaining and demonstrating the vulnerability in detail. 

macOS 26.1: The Fix

Apple has patched both vulnerabilities in macOS 26.1. Our team’s internal testing confirms that:

  • macOS 15.7.2 and earlier remain unpatched.
  • macOS 26.1 fully resolves these sudo vulnerabilities.

Recommended Actions for IT Managers and MSPs

  • Update Immediately: Upgrade all managed macOS devices to version 26.1.
  • Audit sudoers Configurations: Review and restrict sudo privileges to minimize lateral movement risks.
  • Automate Patching: Utilize MDM solutions such as Addigy for seamless update delivery.
  • Monitor for Exploits: Stay alert for indicators of compromise leveraging these CVEs.

Conclusion: Proactive Patch Management is Essential

Proactive patch management remains the strongest defense against security compromises such as these. Ensuring endpoints are on the latest macOS version is essential to maintaining operational security and compliance in 2025 and beyond.

Addigy provides a seamless update process to patch these devices to the latest version to mitigate this vulnerability. Find out more details about how to apply system updates.

Additional resources:

https://www.oligo.security/blog/new-sudo-vulnerabilities-cve-2025-32462-and-cve-2025-32463
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
https://github.com/cyberpoul/CVE-2025-32462-POC/tree/main

Nathan Pabon

Nathan Pabon

Application Security Engineer at Addigy

Similar Posts

Streamline IT Operations with Addigy and Okta
|

Streamline IT Operations with Addigy and Okta

Discover how Addigy’s integration with Okta streamlines Apple device management. Learn how IT teams can automate workflows, secure device setups with SSO, and deliver seamless user experiences for Macs, iPhones, and iPads.

Alarm going off on red background.

New Zero-Day Vulnerability Detected

A fresh zero-day vulnerability has been identified, affecting certain third-party applications. This vulnerability may be linked to Apple’s…