High severity7.4NVD Advisory· Published Apr 3, 2026· Updated Jun 4, 2026
CVE-2026-35535
CVE-2026-35535
Description
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
27(expand)+ 5 more
- (no CPE)
- cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*range: <1.9.17
- cpe:2.3:a:sudo_project:sudo:1.9.17:-:*:*:*:*:*:*
- cpe:2.3:a:sudo_project:sudo:1.9.17:p1:*:*:*:*:*:*
- cpe:2.3:a:sudo_project:sudo:1.9.17:p2:*:*:*:*:*:*
- (no CPE)range: <=1.9.17p2
- osv-coords20 versionspkg:rpm/almalinux/sudopkg:rpm/almalinux/sudo-python-pluginpkg:rpm/opensuse/sudo&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/sudo&distro=openSUSE%20Tumbleweedpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/sudo&distro=SUSE%20Linux%20Micro%206.2
< 1.9.15-10.p5.el10_1+ 19 more
- (no CPE)range: < 1.9.15-10.p5.el10_1
- (no CPE)range: < 1.9.15-10.p5.el10_1
- (no CPE)range: < 1.9.17p1-160000.3.1
- (no CPE)range: < 1.9.17p2-2.1
- (no CPE)range: < 1.9.9-150400.4.42.1
- (no CPE)range: < 1.9.9-150400.4.42.1
- (no CPE)range: < 1.9.12p1-150500.7.16.1
- (no CPE)range: < 1.9.12p1-150500.7.16.1
- (no CPE)range: < 1.9.9-150400.4.42.1
- (no CPE)range: < 1.9.9-150400.4.42.1
- (no CPE)range: < 1.9.12p1-150500.7.16.1
- (no CPE)range: < 1.9.15p5-150600.3.15.1
- (no CPE)range: < 1.9.9-150400.4.42.1
- (no CPE)range: < 1.9.12p1-150500.7.16.1
- (no CPE)range: < 1.9.15p5-150600.3.15.1
- (no CPE)range: < 1.9.9-150400.4.42.1
- (no CPE)range: < 1.9.12p1-150500.7.16.1
- (no CPE)range: < 1.9.15p5-150600.3.15.1
- (no CPE)range: < 1.9.15p5-slfo.1.1_3.1
- (no CPE)range: < 1.9.17p1-160000.3.1
Patches
Vulnerability mechanics
References
6- github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69nvdPatch
- cert-portal.siemens.com/productcert/html/ssa-253495.htmlnvdThird Party Advisory
- www.qualys.com/2026/03/10/crack-armor.txtnvdThird Party Advisory
- bugs.debian.org/1130593nvdBroken Link
- bugs.launchpad.net/ubuntu/+source/sudo/+bug/2143042nvdIssue Tracking
- lists.debian.org/debian-lts-announce/2026/06/msg00003.htmlnvd
News mentions
1- Debian 13.5 point release lands with security fixes, bug patchesHelp Net Security · May 17, 2026