CVE-2026-35535
Published: 03 April 2026
Summary
CVE-2026-35535 is a high-severity Privilege Dropping / Lowering Errors (CWE-271) vulnerability in Debian (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in Sudo that fails to treat privilege drop errors as fatal.
Requires Sudo and similar privilege management components to fail to a known secure state upon setuid/setgid/setgroups failures, preventing execution of the mailer with elevated privileges.
Ensures error handling for privilege drop failures does not compromise security by continuing execution with elevated privileges, addressing the improper state management error.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a flaw in Sudo's privilege dropping logic (setuid/setgid/setgroups) that allows a local unprivileged attacker to retain root privileges and execute the mailer as root, directly enabling privilege escalation.
NVD Description
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.
Deeper analysisAI
CVE-2026-35535 affects Sudo versions through 1.9.17p2 prior to commit 3e474c2. The vulnerability arises when Sudo attempts to drop privileges via setuid, setgid, or setgroups calls before executing the mailer utility, typically used for error notifications. If these calls fail, Sudo does not treat the failure as fatal, potentially allowing the process to continue with elevated privileges and enabling privilege escalation. The issue is classified under CWE-271 (State Management Error) with a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker with no privileges (PR:N) can exploit this vulnerability, though it requires high attack complexity (AC:H). By triggering conditions that cause the privilege drop to fail—such as manipulating system resources or configurations—the attacker can prevent successful de-escalation, leading to execution of the mailer with root privileges. This grants high confidentiality, integrity, and availability impacts, facilitating full privilege escalation from an unprivileged user to root.
Advisories and patches recommend updating to Sudo versions incorporating commit 3e474c2 from the Sudo project GitHub repository, which addresses the issue by making privilege drop failures fatal. Debian bug tracker entry 1130593 and Ubuntu Launchpad bug 2143042 detail the problem in their distributions, while the Qualys advisory at qualys.com/2026/03/10/crack-armor.txt provides further analysis and confirms the patch as the primary mitigation.
Details
- CWE(s)