CVE-2026-35535

Description

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Sudo <= 1.9.17p2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual Proof of Concept for CVE-2026-35535
# This PoC demonstrates the logic flaw where a failed setuid/setgid during privilege drop is not fatal.
# Exploitation typically requires the mailer feature to be enabled in sudoers.

# 1. Verify sudo version (vulnerable if <= 1.9.17p2)
sudo -V | grep "Sudo version"

# 2. Prepare environment
# An attacker might set up a malicious script or manipulate the path used by the mailer.
# Since the error is non-fatal, the mailer might execute with elevated privileges.

# Example triggering command (depends on configuration triggering the mailer)
# If the setuid fails inside, the process might retain root perms.
echo "attempting to trigger sudo mailer path..."
sudo -n invalid_command 2>&1

# Note: Successful exploitation requires specific conditions regarding
# the failure of the setuid/setgid calls and control over the mailer execution context.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35535
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35535
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35535/
[4] VulDB https://vuldb.com/cve/CVE-2026-35535
[5] https://bugs.debian.org/1130593
[6] https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2143042
[7] https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69
[8] https://www.qualys.com/2026/03/10/crack-armor.txt

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35535", "sourceIdentifier": "[email protected]", "published": "2026-04-03T03:16:18.233", "lastModified": "2026-04-03T16:10:23.730", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-271"}]}], "references": [{"url": "https://bugs.debian.org/1130593", "source": "[email protected]"}, {"url": "https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2143042", "source": "[email protected]"}, {"url": "https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69", "source": "[email protected]"}, {"url": "https://www.qualys.com/2026/03/10/crack-armor.txt", "source": "[email protected]"}]}}