CVE-2026-35535 Overview
A privilege escalation vulnerability exists in Sudo through version 1.9.17p2 that arises from improper handling of failed privilege drop operations. When Sudo attempts to drop privileges before running the mailer component, failures in setuid, setgid, or setgroups system calls are not treated as fatal errors. This non-fatal error handling can allow an attacker to maintain elevated privileges when they should have been dropped, potentially leading to local privilege escalation.
Critical Impact
Local attackers may exploit this vulnerability to escalate privileges on affected systems running vulnerable versions of Sudo, potentially gaining root access through improper privilege drop handling.
Affected Products
- Sudo versions through 1.9.17p2 (before commit 3e474c2)
- Linux distributions using vulnerable Sudo versions (Debian, Ubuntu, and others)
- Systems relying on Sudo's mailer functionality with privilege separation
Discovery Timeline
- April 3, 2026 - CVE-2026-35535 published to NVD
- April 3, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35535
Vulnerability Analysis
This vulnerability is classified under CWE-271 (Privilege Dropping / Lowering Errors), which describes situations where software fails to properly drop privileges when intended. In the context of Sudo, when the mailer subprocess is invoked, the application attempts to reduce its privilege level by calling setuid, setgid, and setgroups functions. However, the implementation prior to commit 3e474c2 did not treat failures of these calls as fatal conditions.
When these privilege-dropping functions fail silently, the subsequent execution continues with elevated privileges rather than the intended reduced privilege level. This represents a significant security boundary violation, as the mailer process may execute with root privileges when it should be running with restricted user-level access.
Root Cause
The root cause stems from insufficient error checking in the privilege drop sequence within Sudo's mailer execution path. The code path that prepares to execute the mailer calls setuid(), setgid(), and setgroups() to transition from the elevated sudo context to a less privileged state. When any of these calls return an error, the code continued execution rather than aborting or returning a fatal error condition.
This design flaw means that under specific conditions where the operating system refuses to perform the privilege transition (such as resource exhaustion, security module intervention, or namespace restrictions), the process maintains its elevated privileges while continuing to execute operations that were designed to run with reduced permissions.
Attack Vector
The attack vector requires local access to the target system. An attacker with the ability to execute commands on a system running a vulnerable Sudo version may be able to manipulate conditions that cause the privilege drop functions to fail. This could involve:
- Manipulating resource limits (RLIMIT settings) to cause setuid/setgid failures
- Exploiting process credential handling edge cases
- Leveraging container or namespace boundaries where privilege operations behave unexpectedly
- Creating race conditions during the privilege transition phase
The vulnerability exists in the privilege drop mechanism before running the mailer. For the vulnerability to be exploitable, an attacker needs to trigger the mailer execution path in Sudo while ensuring the privilege drop operations fail, resulting in the mailer running with higher privileges than intended.
Detection Methods for CVE-2026-35535
Indicators of Compromise
- Unexpected processes running with elevated privileges when they should be running as unprivileged users
- Mailer processes (typically sendmail or configured mail transport agents) executing with root privileges unexpectedly
- Anomalous sudo execution patterns involving mail-related operations
- System logs showing privilege-related syscall failures followed by successful command execution
Detection Strategies
- Monitor for Sudo processes that invoke mailer functionality and correlate with privilege level of child processes
- Implement auditd rules to track setuid, setgid, and setgroups syscall failures in sudo-related processes
- Deploy endpoint detection solutions that monitor for privilege escalation attempts via sudo
- Review system logs for patterns indicating failed privilege drops that did not result in process termination
Monitoring Recommendations
- Configure audit logging for all Sudo invocations with focus on mail-related flags and options
- Monitor process hierarchy to detect unexpected privilege levels in sudo child processes
- Implement file integrity monitoring on Sudo binaries and configuration files
- Set up alerts for unusual patterns in sendmail or mailer invocations originating from sudo
How to Mitigate CVE-2026-35535
Immediate Actions Required
- Upgrade Sudo to a version containing commit 3e474c2 or later
- Review Sudo configuration to determine if mailer functionality is enabled and consider disabling if not required
- Apply vendor-provided patches from your Linux distribution's security repository
- Audit systems for any signs of exploitation attempts related to this vulnerability
Patch Information
The vulnerability has been addressed in Sudo through commit 3e474c2, which modifies the privilege drop handling to treat failures in setuid, setgid, and setgroups calls as fatal errors. This ensures that if the privilege transition cannot be completed successfully, the mailer execution is aborted rather than proceeding with elevated privileges.
Distribution-specific patches are being tracked:
Additional technical analysis is available in the Qualys Security Analysis.
Workarounds
- Disable the mailer functionality in Sudo if not required by setting set mailerpath="" in sudoers configuration
- Restrict sudo access to trusted users only until patching can be completed
- Implement additional privilege boundary monitoring using SELinux or AppArmor policies
- Configure process accounting to detect and alert on unexpected privilege levels
# Disable mailer in sudoers to mitigate until patch is applied
# Add to /etc/sudoers or /etc/sudoers.d/security
Defaults !mailerpath
Defaults !mailto
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
