CVE-2025-46717

Publication date 12 May 2025

Last updated 26 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using `sudo --list <pathname>`. Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks. Version 0.2.6 fixes the vulnerability.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-sudo-rs	26.04 LTS resolute	Fixed 0.2.8-1ubuntu2
	25.10 questing	Fixed 0.2.8-1ubuntu2
	25.04 plucky	Ignored end of life, was needed
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
rust-sudo-rs	Upstream: 5498418 Upstream: 848719f

Severity score breakdown

CVSS version: CVSS v3.0

Base score 3.3 · Low

Base metrics

Parameter	Value
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality impact	Low
Integrity impact	None
Availability impact	None

Scores

Parameter	Value
Base score	3.3 · Low
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N