CVE-2026-35535

low-risk

Published 2026-04-03

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.4/10 High

LOCAL / HIGH complexity

References (4)

https://bugs.debian.org/1130593

https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2143042

https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81...

https://www.qualys.com/2026/03/10/crack-armor.txt

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal