| Name | CVE-2026-35535 |
| Description | In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1130593 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| sudo (PTS) | bullseye | 1.9.5p2-3+deb11u1 | vulnerable |
| bullseye (security) | 1.9.5p2-3+deb11u3 | vulnerable |
| bookworm | 1.9.13p3-1+deb12u3 | vulnerable |
| bookworm (security) | 1.9.13p3-1+deb12u2 | vulnerable |
| trixie | 1.9.16p2-3+deb13u1 | vulnerable |
| forky, sid | 1.9.17p2-5 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| sudo | source | (unstable) | 1.9.17p2-5 | | | 1130593 |
Notes
[trixie] - sudo <no-dsa> (Minor issue, can be fixed in a point release)
[bookworm] - sudo <no-dsa> (Minor issue, can be fixed in a point release)
https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69
https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2143042