CVE-2025-46718: 
Rust vulnerability analysis and mitigation

sudo-rs, a memory safe implementation of sudo and su written in Rust, was found to contain a security vulnerability (CVE-2025-46718) prior to version 0.2.6. The vulnerability was discovered and disclosed on May 12, 2025, affecting systems where users have limited sudo privileges. This vulnerability allows users with restricted sudo access to enumerate other users' sudo privileges using the -U flag, which is not intended behavior compared to the original sudo implementation (GitHub Advisory).

The vulnerability stems from improper privilege checking when using the -U flag with the list pseudocommand. When exploited, users with limited sudo privileges can list sudo privileges of other users, which should not be permitted. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating local access requirements and low severity (GitHub Advisory).

The vulnerability allows attackers with limited sudo privileges to enumerate the sudoers file, revealing sensitive information about other users' permissions. This information disclosure can be leveraged for more targeted attacks. However, systems where users either do not have sudo privileges or have the ability to run all commands as root through sudo (the default configuration on most systems) are not affected by this vulnerability (GitHub Advisory).

The vulnerability has been fixed in sudo-rs version 0.2.6. Users are advised to upgrade to this version or later. The fix includes additional checking before reporting errors or listing the rights of a user (GitHub Release).

The vulnerability was identified by Sonia Zorba and has received attention from the security community, with multiple reactions on GitHub including thumbs up, heart, and rocket emojis from the community members (GitHub Release).