diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in
index fadc62382..b3b7eda8b 100644
--- a/docs/sudoers.man.in
+++ b/docs/sudoers.man.in
@@ -3410,6 +3410,12 @@ has completed but before the new command has had a chance to run.
 In the case of a path name or argument mismatch, the command will be sent a
 \fRSIGKILL\fR
 signal and terminated.
+This can help prevent a time of check vs. time of use issue with
+intercept mode where the
+execve(2)
+arguments could be altered after the
+\fBsudoers\fR
+policy check.
 This flag has no effect unless the
 \fIintercept\fR
 flag is enabled or the
@@ -7012,6 +7018,27 @@ you can always just try it out and check whether or not external
 commands run via a shell are logged when
 \fIintercept\fR
 is enabled.
+.sp
+There is an inherent race condition between when a command is checked against
+\fBsudoers\fR
+rules and when it is actually executed.
+If a user is allowed to run arbitrary commands, they may be able
+to change the
+execve(2)
+arguments in the program after the
+\fBsudoers\fR
+policy check has completed but before the new command is executed.
+Starting with version 1.9.12, the
+ptrace(2)
+method will verify that the command and its arguments have not changed after
+execve(2)
+has completed but before execution of the new program has had a chance to run.
+This is not the case with the
+\fIdso\fR
+method.
+See the description of the
+\fIintercept_verify\fR
+setting for more information.
 .RE
 .TP 10n
 log
diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
index f4987d8ea..b68b973ca 100644
--- a/docs/sudoers.mdoc.in
+++ b/docs/sudoers.mdoc.in
@@ -3231,6 +3231,12 @@ has completed but before the new command has had a chance to run.
 In the case of a path name or argument mismatch, the command will be sent a
 .Dv SIGKILL
 signal and terminated.
+This can help prevent a time of check vs. time of use issue with
+intercept mode where the
+.Xr execve 2
+arguments could be altered after the
+.Nm
+policy check.
 This flag has no effect unless the
 .Em intercept
 flag is enabled or the
@@ -6498,6 +6504,27 @@ you can always just try it out and check whether or not external
 commands run via a shell are logged when
 .Em intercept
 is enabled.
+.Pp
+There is an inherent race condition between when a command is checked against
+.Nm
+rules and when it is actually executed.
+If a user is allowed to run arbitrary commands, they may be able
+to change the
+.Xr execve 2
+arguments in the program after the
+.Nm
+policy check has completed but before the new command is executed.
+Starting with version 1.9.12, the
+.Xr ptrace 2
+method will verify that the command and its arguments have not changed after
+.Xr execve 2
+has completed but before execution of the new program has had a chance to run.
+This is not the case with the
+.Em dso
+method.
+See the description of the
+.Em intercept_verify
+setting for more information.
 .It log
 There are two separate but related ways to log additional commands.
 The first is to enable I/O logging using the