CVE-2025-46718

Public Exploit
sudo-rs Allows Low Privilege Users to Enumerate Privileges of Others

Description

sudo-rs is a memory safe implementation of sudo and su written in Rust. Prior to version 0.2.6, users with limited sudo privileges (e.g. execution of a single command) can list sudo privileges of other users using the `-U` flag. This vulnerability allows users with limited sudo privileges to enumerate the sudoers file, revealing sensitive information about other users' permissions. Attackers can collect information that can be used to more targeted attacks. Systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this advisory. Version 0.2.6 fixes the vulnerability.

Category

3.3
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.01%
Vendor Advisory github.com
Affected: trifectatechfoundation sudo-rs
Published at:
Updated at:

References

Link Tags
https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-w9q3-g4p5-5q2r exploit vendor advisory
https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.6 release notes

Frequently Asked Questions

What is the severity of CVE-2025-46718?
CVE-2025-46718 has been scored as a low severity vulnerability.
How to fix CVE-2025-46718?
To fix CVE-2025-46718, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-46718 being actively exploited in the wild?
It is possible that CVE-2025-46718 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-46718?
CVE-2025-46718 affects trifectatechfoundation sudo-rs.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.