CVE-2026-35535
published 2026-04-03CVE-2026-35535: In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sudo | < sudo 1.9.17p2-5 (forky) | sudo 1.9.17p2-5 (forky) |
| msrc | azl3_sudo_1.9.17-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_sudo_1.9.17-1_on_cbl_mariner_2.0 | — | — |
| siemens | sinec_os | < 4.0 | 4.0 |
| sudo_project | sudo | < 3e474c2f201484be83d994ae10a4e20e8c81bb69 | 3e474c2f201484be83d994ae10a4e20e8c81bb69 |
| sudo_project | sudo | < 1.9.17 | 1.9.17 |
| sudo_project | sudo | — | — |
| sudo_project | sudo | >= 0 < 1.9.17p2-5 | 1.9.17p2-5 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.4HIGH