{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35535/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-35535"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sudo","privilege-escalation","cve-2026-35535"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35535 identifies a critical vulnerability within Sudo, specifically affecting versions up to 1.9.17p2 before commit 3e474c2. The vulnerability stems from a failure to properly handle errors during the privilege dropping process that occurs before running the mailer component. Specifically, if the setuid, setgid, or setgroups calls fail during this stage, the error is not treated as fatal. This flaw allows a malicious actor with limited privileges to potentially escalate their privileges to root or another privileged user. This vulnerability was reported in March 2026 and impacts systems relying on Sudo for privilege management, posing a significant risk to system integrity and confidentiality. Systems using affected versions of Sudo should be patched immediately to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with a low-privileged account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable Sudo version (\u0026lt;= 1.9.17p2).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious command intended to be executed via Sudo, specifically targeting the mailer functionality.\u003c/li\u003e\n\u003cli\u003eSudo attempts to drop privileges using setuid, setgid, or setgroups before executing the mailer.\u003c/li\u003e\n\u003cli\u003eOne of the privilege dropping calls (setuid, setgid, or setgroups) fails.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the failure is not treated as a fatal error, and Sudo continues execution with incomplete privilege dropping.\u003c/li\u003e\n\u003cli\u003eThe mailer component executes with higher privileges than intended, as the privilege dropping was unsuccessful.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the elevated privileges to execute arbitrary commands or modify system files, gaining full control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35535 can lead to complete system compromise. An attacker can gain root privileges, allowing them to install malware, exfiltrate sensitive data, or disrupt critical services. The vulnerability affects any system using a vulnerable version of Sudo, potentially impacting a wide range of organizations and individuals. The severity is high because it allows for unauthenticated privilege escalation on systems where the vulnerable version of Sudo is installed and improperly configured.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Sudo to a patched version (\u0026gt;= 3e474c2) to remediate CVE-2026-35535.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for failed setuid, setgid, or setgroups calls related to Sudo (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement stricter privilege management policies to minimize the impact of potential privilege escalation vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:16:18Z","date_published":"2026-04-03T03:16:18Z","id":"/briefs/2026-04-sudo-privesc/","summary":"CVE-2026-35535 describes a privilege escalation vulnerability in Sudo versions up to 1.9.17p2, where a non-fatal error during privilege dropping can allow an attacker to gain elevated privileges.","title":"Sudo Privilege Escalation Vulnerability (CVE-2026-35535)","url":"https://feed.craftedsignal.io/briefs/2026-04-sudo-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-35535","version":"https://jsonfeed.org/version/1.1"}