{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sudo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31457"},{"cvss":8.8,"id":"CVE-2026-33208"}],"_cs_exploited":false,"_cs_products":["sudo"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","sudo","linux"],"_cs_type":"advisory","_cs_vendors":["sudo"],"content_html":"\u003cp\u003eMultiple vulnerabilities in sudo allow a local attacker to escalate privileges to root. The vulnerabilities can be exploited locally, requiring an attacker to already have some level of access to the system. The exact nature of these vulnerabilities is not specified in the source material, but the impact is a complete compromise of the affected system. Defenders should implement detections for suspicious sudo usage patterns and ensure sudo is updated to the latest version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system via an unspecified method (e.g., compromised account, physical access).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable version of sudo installed on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious sudo command or exploits a configuration flaw to leverage one of the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eSudo executes the malicious command with elevated privileges due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to modify system files or execute commands as root.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a backdoor or creates a new privileged account for persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the escalated privileges to access sensitive data or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows a local attacker to gain complete control of the affected system. This can lead to data theft, system corruption, or the installation of malware. The number of potential victims is dependent on the number of systems running vulnerable versions of sudo.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for unexpected sudo usage patterns, especially commands run with root privileges that deviate from normal administrative tasks. (See Sigma rule \u0026ldquo;Detect Suspicious Sudo Usage\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable audit logging for sudo to capture detailed information about command execution.\u003c/li\u003e\n\u003cli\u003eRegularly update sudo to the latest version to patch known vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:33:58Z","date_published":"2026-04-30T09:33:58Z","id":"/briefs/2026-05-sudo-privesc/","summary":"Multiple vulnerabilities in sudo allow a local attacker to bypass security precautions and escalate privileges to root.","title":"Sudo Privilege Escalation Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-sudo-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-35535"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sudo","privilege-escalation","cve-2026-35535"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35535 identifies a critical vulnerability within Sudo, specifically affecting versions up to 1.9.17p2 before commit 3e474c2. The vulnerability stems from a failure to properly handle errors during the privilege dropping process that occurs before running the mailer component. Specifically, if the setuid, setgid, or setgroups calls fail during this stage, the error is not treated as fatal. This flaw allows a malicious actor with limited privileges to potentially escalate their privileges to root or another privileged user. This vulnerability was reported in March 2026 and impacts systems relying on Sudo for privilege management, posing a significant risk to system integrity and confidentiality. Systems using affected versions of Sudo should be patched immediately to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system with a low-privileged account.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable Sudo version (\u0026lt;= 1.9.17p2).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious command intended to be executed via Sudo, specifically targeting the mailer functionality.\u003c/li\u003e\n\u003cli\u003eSudo attempts to drop privileges using setuid, setgid, or setgroups before executing the mailer.\u003c/li\u003e\n\u003cli\u003eOne of the privilege dropping calls (setuid, setgid, or setgroups) fails.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the failure is not treated as a fatal error, and Sudo continues execution with incomplete privilege dropping.\u003c/li\u003e\n\u003cli\u003eThe mailer component executes with higher privileges than intended, as the privilege dropping was unsuccessful.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the elevated privileges to execute arbitrary commands or modify system files, gaining full control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35535 can lead to complete system compromise. An attacker can gain root privileges, allowing them to install malware, exfiltrate sensitive data, or disrupt critical services. The vulnerability affects any system using a vulnerable version of Sudo, potentially impacting a wide range of organizations and individuals. The severity is high because it allows for unauthenticated privilege escalation on systems where the vulnerable version of Sudo is installed and improperly configured.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Sudo to a patched version (\u0026gt;= 3e474c2) to remediate CVE-2026-35535.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for failed setuid, setgid, or setgroups calls related to Sudo (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement stricter privilege management policies to minimize the impact of potential privilege escalation vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:16:18Z","date_published":"2026-04-03T03:16:18Z","id":"/briefs/2026-04-sudo-privesc/","summary":"CVE-2026-35535 describes a privilege escalation vulnerability in Sudo versions up to 1.9.17p2, where a non-fatal error during privilege dropping can allow an attacker to gain elevated privileges.","title":"Sudo Privilege Escalation Vulnerability (CVE-2026-35535)","url":"https://feed.craftedsignal.io/briefs/2026-04-sudo-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Sudo","version":"https://jsonfeed.org/version/1.1"}