Skip to main content

Sudo EUVDEUVD-2026-18571

| CVE-2026-35535 HIGH
Privilege Dropping / Lowering Errors (CWE-271)
2026-04-03 mitre GHSA-g5fc-f834-rcr2
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local authenticated user (AV:L/PR:L); AC:H because the attacker must force a setuid/setgid syscall failure and have mailer notifications enabled; success yields full root (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

13
Analysis Updated
Jun 30, 2026 - 04:39 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:38 vuln.today
v4 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 04:38 vuln.today
Analysis Updated
Jun 30, 2026 - 04:38 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.4 (HIGH) 7.8 (HIGH)
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3e474c2f201484be83d994ae10a4e20e8c81bb69
EUVD ID Assigned
Apr 03, 2026 - 02:30 euvd
EUVD-2026-18571
Analysis Generated
Apr 03, 2026 - 02:30 vuln.today
CVE Published
Apr 03, 2026 - 02:21 nvd
HIGH 7.4

DescriptionNVD

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

AnalysisAI

Local privilege escalation in Sudo through 1.9.17p2 (fixed in commit 3e474c2) arises because a failed setuid, setgid, or setgroups call during the privilege drop that precedes invoking the mailer is treated as non-fatal, allowing the mailer to run with retained elevated privileges. Local users on systems where Sudo is configured to send mail can leverage this to gain root, with total technical impact per CISA SSVC. EPSS is 0.00% and there is no public exploit identified at time of analysis, consistent with SSVC marking exploitation as none.

Technical ContextAI

Sudo is the near-universal privilege-delegation utility on Linux and Unix systems, running setuid-root to execute commands as other users under policy in sudoers. When configured to notify administrators (e.g. mail_badpass, mail_no_user, or other mail_* options), Sudo forks a mailer and is supposed to permanently drop privileges to an unprivileged identity before exec'ing it. The flaw is a classic CWE-271 (Privilege Dropping / Lowering Errors) defect: the return values of setuid()/setgid()/setgroups() are not checked as fatal, so if any of those calls fails the code continues and the mailer executes still holding elevated UID/GID/group membership. The CPE cpe:2.3:a:sudo_project:sudo identifies the upstream sudo_project codebase, and the fix commit makes such failures abort execution.

RemediationAI

Apply your distribution's updated Sudo package: Upstream fix available (commit 3e474c2f201484be83d994ae10a4e20e8c81bb69) - released patched version not independently confirmed from the input, so deploy the vendor-released errata that incorporate it, e.g. Red Hat RHSA-2026:10758 / 11521 / 12310 (https://access.redhat.com/errata/RHSA-2026:10758), SUSE-SU-2026:1308/1309/1359 (https://www.suse.com/support/update/SUSE-SU-2026:1308/), or the Debian LTS update (https://lists.debian.org/debian-lts-announce/2026/06/msg00003.html). As an interim compensating control until patched, disable Sudo's mail notifications in sudoers - set 'mailerpath' to none or turn off mail_badpass, mail_no_user, mail_always and related mail_* options - since the vulnerable code path only runs when Sudo invokes the mailer; the trade-off is loss of administrative email alerts on sudo events. Restricting who may run sudo at all further reduces the local attacker pool but is not a substitute for the update.

More in Sudo

View all
CVE-2025-32463 CRITICAL POC
9.3 Jun 30

Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot opti

CVE-2012-0809 HIGH POC
7.2 Feb 01

Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbit

CVE-2025-32462 HIGH POC
8.8 Jun 30

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allo

CVE-2013-1775 MEDIUM POC
6.9 Mar 05

sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypas

CVE-2023-22809 HIGH POC
7.8 Jan 18

In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environmen

CVE-2021-3156 HIGH POC
7.8 Jan 26

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege

CVE-2017-1000367 MEDIUM POC
6.4 Jun 05

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_

CVE-2019-14287 HIGH POC
8.8 Oct 17

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and se

CVE-2015-5602 HIGH POC
7.2 Nov 17

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is d

CVE-2021-23240 HIGH POC
7.8 Jan 12

selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and es

CVE-2023-27320 HIGH POC
7.2 Feb 28

Sudo before 1.9.13p2 has a double free in the per-command chroot feature. Rated high severity (CVSS 7.2), this vulnerabi

CVE-2023-42465 HIGH POC
7.0 Dec 22

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because applicatio

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.92 Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed

Share

EUVD-2026-18571 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy