CVE-2026-35535
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer
CVSS
7.4
High
EPSS
0.2%
p7
KEV
—
Exploit Today
2
0-100
Published: Apr 3, 2026 · Last modified: Jul 15, 2026 · CWE-271 · CWE-272
0.2%EPSS · 30 days0.2%
2026-06-302026-07-17
In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.
- bugs.debian.orghttps://bugs.debian.org/1130593
- bugs.launchpad.nethttps://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2143042
- github.comhttps://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69
- www.qualys.comhttps://www.qualys.com/2026/03/10/crack-armor.txt
- lists.debian.orghttps://lists.debian.org/debian-lts-announce/2026/06/msg00003.html
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:10758
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:11521
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:12310
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13731
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13888
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13889
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13891
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13892
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13895
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:13896
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:14228
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:14437
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19067
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19220
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20040
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-444779.9 CRI38.3%
——11CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.3dCVE-2026-152707.5 HIG35.8%
——11A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is an unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. Executing a manipulation can lead to least privilege violation. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks.4dCVE-2026-152717.5 HIG33.0%
——10A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult.7d