What is the CVSS score of CVE-2026-35535?

CVE-2026-35535 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Red Hat are affected by CVE-2026-35535?

CVE-2026-35535 is a privilege escalation vulnerability in Sudo versions up to 1.9.17p2 that allows local users to gain root access when the mailer privilege-drop sequence fails, representing a direct…. A patch is available.

Red Hat CVE-2026-35535

EUVD-2026-18571 HIGH

Privilege Dropping / Lowering Errors (CWE-271)

2026-04-03 mitre

GHSA-g5fc-f834-rcr2

Privilege Escalation Red Hat Suse

7.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:07 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3e474c2f201484be83d994ae10a4e20e8c81bb69

EUVD ID Assigned

Apr 03, 2026 - 02:30 euvd

EUVD-2026-18571

Analysis Generated

Apr 03, 2026 - 02:30 vuln.today

CVE Published

Apr 03, 2026 - 02:21 nvd

HIGH 7.4

DescriptionNVD

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

AnalysisAI

Privilege escalation to root in Sudo ≤1.9.17p2 occurs when setuid/setgid/setgroups system calls fail during the mailer privilege-drop sequence, allowing local attackers with high complexity exploitation to gain full system control. Confirmed actively exploited (CISA KEV). …

RemediationAI

Within 24 hours: Identify all systems running Sudo ≤1.9.17p2 using vulnerability scanning or package inventory tools. Within 7 days: Apply vendor-released patch to upgrade Sudo to version 1.9.17p3 or later on all affected systems, prioritizing servers with local user access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory