sudo-rs Allows Low Privilege Users to Enumerate Privileges of Others
Description
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the -U flag. This vulnerability allows users with limited sudo privileges to enumerate the sudoers file, revealing sensitive information about other users' permissions. Attackers can collect information that can be used to more targeted attacks. Systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory. Version 0.2.6 fixes the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In sudo-rs before 0.2.6, users with limited sudo privileges can enumerate other users' sudo permissions using the -U flag, leaking sensitive configuration.
The vulnerability resides in sudo-rs, a memory-safe sudo implementation in Rust. Prior to version 0.2.6, the -U flag, intended to list another user's privileges, is not properly restricted for users with limited sudo rights. This allows an attacker to query the full sudoers file for any user, contrary to the original sudo which denies this operation for non-allowed users [2][3].
Exploitation requires the attacker to possess at least some sudo privileges on the system (e.g., execution of a single command like ps). By running sudo -l -U , the attacker can retrieve the complete sudo rules for the target user. The original sudo correctly blocks this with an error, but sudo-rs prior to 0.2.6 does not [3]. This behavior was confirmed in versions up to 0.2.5 [3].
The impact is information disclosure: an attacker can enumerate all users' sudo permissions, revealing which commands other users can execute with elevated privileges. This intelligence can be used to plan more targeted attacks, such as privilege escalation or lateral movement. Systems where users have no sudo access or have unrestricted root access are not vulnerable [2][3].
A fix was released in version 0.2.6, which introduces a list pseudocommand to control sudo -U and adds proper authorization checks [4]. All users running sudo-rs versions below 0.2.6 should upgrade immediately to mitigate this vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sudo-rscrates.io | < 0.2.6 | 0.2.6 |
Affected products
3- Range: <0.2.6
- trifectatechfoundation/sudo-rsv5Range: < 0.2.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w9q3-g4p5-5q2rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46718ghsaADVISORY
- github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6ghsax_refsource_MISCWEB
- github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-w9q3-g4p5-5q2rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.