---
title: "CVE-2025-32463 Sudo Chroot LPE Mitigation"
description: "CVE-2025-32463 sudo chroot local privilege escalation mitigation demo showing agentsh blocking NSS shared-object writes, sudo chroot execution, and chroot syscalls."
doc_version: "1.0"
last_updated: "2026-05-18"
canonical: "https://www.agentsh.org/mitigations/demo-cve-2025-32463/"
---

# CVE-2025-32463 Sudo Chroot LPE Mitigation

## Overview

This mitigation demo shows agentsh blocking the sudo chroot local privilege escalation path for CVE-2025-32463. The vulnerable run demonstrates the attack surface; the protected run shows agentsh denying the file, command, and syscall operations needed to complete the setup.

## Mitigation

agentsh policy blocks the exploit chain with command rules, file access rules, and daemon seccomp enforcement. The result is a deterministic denial with audit evidence instead of a prompt-level warning.

## Sitemap

- [Canonical HTML](https://www.agentsh.org/mitigations/demo-cve-2025-32463/)
- [Site map](https://www.agentsh.org/sitemap.md)
- [Full documentation](https://www.agentsh.org/llms-full.md)