Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Local users can start Sendmail in daemon mode and gain root privileges.

MIME buffer overflow in Sendmail 8.8.0 and 8.8.1 gives root access.

Buffer overflow and denial of service in Sendmail 8.7.5 and earlier through GECOS field gives root access to local users.

Sendmail before 8.6.7 allows local users to gain root access via a large value in the debug (-d) command line option.

SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.

In Sendmail, attackers can gain root privileges via SMTP by specifying an improper "mail from" address and an invalid "rcpt to" address that would cause the mail to bounce to a program.

Sendmail WIZ command enabled, allowing root access.

The debug command in Sendmail is enabled, allowing attackers to execute commands as root.