Fluid Attacks Database

Description

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	sudo	=1.9.5p2-3 \|\| =1.9.5p2-3+deb11u1 \|\| =1.9.5p2-3+deb11u2 \|\| =1.9.5p2-3+deb11u3 \|\| >=0 <1.9.5p2-3+deb11u4	1.9.5p2-3+deb11u4
debian 12	sudo	=1.9.13p3-1 \|\| =1.9.13p3-1+deb12u1 \|\| =1.9.13p3-1+deb12u2 \|\| =1.9.13p3-1+deb12u3 \|\| >=0 <1.9.13p3-1+deb12u4	1.9.13p3-1+deb12u4
debian 14	sudo	=1.9.16p2-3 \|\| =1.9.17p1-1 \|\| =1.9.17p2-1 \|\| =1.9.17p2-1exp1 \|\| =1.9.17p2-2 \|\| =1.9.17p2-3 \|\| =1.9.17p2-4 \|\| >=0 <1.9.17p2-5	1.9.17p2-5
rpm rhel9	sudo	<0:1.9.5p2-15.el9_7 \|\| >=0:1.9.17p2, <0:1.9.17p2-3.el9_8	0:1.9.17p2-3.el9_8
debian 13	sudo	=1.9.16p2-3 \|\| =1.9.16p2-3+deb13u1 \|\| >=0 <1.9.16p2-3+deb13u2	1.9.16p2-3+deb13u2
rpm rhel8	sudo	<0:1.9.5p2-1.el8_10.5	0:1.9.5p2-1.el8_10.5
rpm rhel7	sudo	-	-
rpm rhel6	sudo	-	-
rpm rhel10	sudo	<0:1.9.15-10.p5.el10_1 \|\| >=0:1.9.17, <0:1.9.17-4.p2.el10_2	0:1.9.17-4.p2.el10_2
rpm rhel10.0	sudo	<0:1.9.15-8.p5.el10_0.3	0:1.9.15-8.p5.el10_0.3

1-10 of 12

Aliases

1. CVE-2026-355352. NVD-2026-355353. OSV-DEBIAN-2026-355354. OSV-2026-355355. SECURITY-TRACKER-CVE-2026-35535

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.