CVE-2026-35535

CWE-271CWE-2728 documents8 sources
Severity
7.4HIGH
EPSS
0.0%
top 99.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sudo Project Sudo
Timeline
PublishedApr 3

Description

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 1.4 | Impact: 5.9

Affected Packages2 packages

CVEListV5sudo_project/sudo< 3e474c2f201484be83d994ae10a4e20e8c81bb69
Debiansudo< 1.9.17p2-5

🔴Vulnerability Details

3
CVEList
CVE-2026-35535: In Sudo through 12026-04-03
OSV
CVE-2026-35535: In Sudo through 12026-04-03
GHSA
GHSA-g5fc-f834-rcr2: In Sudo through 12026-04-03

📋Vendor Advisories

3
Red Hat
sudo: Sudo: Privilege escalation due to failure in privilege drop calls2026-04-03
Microsoft
CVE-2026-35535: Mariner: Mariner mitre: mitre Customer Action Required: Yes2026-04-02
Debian
CVE-2026-35535: sudo - In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgr...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-35535 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-35535 (HIGH CVSS 7.4) | In Sudo through 1.9.17p2 before 3e4 | cvebase.io