The vulnerability tracked as CVE-2019-18634, is the result of a stack-based buffer-overflow bug found in versions 1.7.1 through 1.8.25p1. It can be triggered only when either an administrator or a downstream OS, such as Linux Mint and Elementary OS, has enabled an option known as pwfeedback. With pwfeedback turned on, the vulnerability can be exploited even by users who aren't listed in sudoers, a file that contains rules that users must follow when using the sudo command.

According to a Sudo advisory exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled.

"The bug can be reproduced by passing a large input to Sudo via a pipe when it prompts for a password."

The advisory lists two flaws that lead to the vulnerability. The first: pwfeedback isn't ignored as it should be when reading from something other than a terminal. As a result, the saved version of a line erase character remains at its initialized value of 0. The second contributor is that the code that erases the line of asterisks doesn't properly reset the buffer position if there is an error writing data. Instead, the code resets only the remaining buffer length.

This means taht input can write past the end of the buffers. Systems with unidirectional pipe allow an attempt to write to the read end of the pipe to result in a write error. Because the remaining buffer length isn't reset correctly when write errors result from line erasures, the stack buffer can be overflowed. The report notes the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1.

"Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical. Those who can't update right away can prevent exploits by making sure pwfeedback is disabled."