Several Linux distros have issued updates to fix a vulnerability in Sudo, a Linux app behind the "sudo" command, which can allow an unprivileged attacker to gain root privileges.

The issue, tracked as CVE-2017-1000367, came to light two days ago when security researchers from Qualys published an advisory on the matter.

Researchers say that an attacker that is in the position to run bash commands can create malformed sudo commands that will allow him to overwrite any file on the system, even root-owned content. In other words, the attacker gains the root-level privileges.

Only systems with Sudo and SELinux are vulnerable

The issue doesn’t affect all Linux distros, but only where the SELinux is enabled, and sudo was built with SELinux support.

Todd C. Miller, the creator of the Sudo app, has acknowledged the issue and released an update. The vulnerability was fixed in sudo 1.8.20p1. Sudo versions between 1.8.6p7 and 1.8.20 are affected.

Sudo is bundled as a default app in many of today’s Linux distros. Red Hat, SUSE, Debian, and Ubuntu have released urgent security updates to address the issue.

Below is Qualys’ technical explanation for the flaw. Proof-of-concept exploit code is available in the company’s original advisory, here.