sudo-project/sudo

sudo-project/sudo

Releases263

Frequency1 month 1 week

Last Release 11 months ago

Stars1.67K

Utility to execute a command as another user

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-35535 ↗	Apr 3, 2026Friday, 3 April 2026, 03:16	7.4 HIGH	—
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.
CVE-2023-42465 ↗	Dec 22, 2023Friday, 22 December 2023, 16:15	7 HIGH	—
Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.
CVE-2023-28486 ↗	Mar 16, 2023Thursday, 16 March 2023, 01:15	5.3 MEDIUM	—
Sudo before 1.9.13 does not escape control characters in log messages.
CVE-2023-28487 ↗	Mar 16, 2023Thursday, 16 March 2023, 01:15	5.3 MEDIUM	—
Sudo before 1.9.13 does not escape control characters in sudoreplay output.
CVE-2022-43995 ↗	Nov 2, 2022Wednesday, 2 November 2022, 14:15	7.1 HIGH	—
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the system libraries, compiler, and processor architecture.