CVE-2025-46718

EUVD-2025-14323
sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This vulnerability allows users with limited sudo privileges to enumerate the sudoers file, revealing sensitive information about other users' permissions. Attackers can collect information that can be used to more targeted attacks. Systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory. Version 0.2.6 fixes the vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
trifectatechsudo
𝑥
< 0.2.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rust-sudo-rs
forky
0.2.10-1
fixed
sid
0.2.10-1
fixed
trixie
0.2.5-5+deb13u1
fixed
trixie (security)
0.2.5-5+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-sudo-rs
focal
dne
jammy
dne
noble
needed
oracular
ignored
plucky
ignored
questing
Fixed 0.2.8-1ubuntu2
released
Common Weakness Enumeration
References
https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-w9q3-g4p5-5q2r
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-w9q3-g4p5-5q2r