CVE-2025-64517: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-64517 affects sudo-rs, a memory-safe implementation of sudo and su written in Rust. The vulnerability was discovered and disclosed on November 11, 2025, affecting versions after 0.2.5 and was patched in version 0.2.10. The issue specifically impacts systems using sudo-rs with Defaults targetpw or Defaults rootpw configurations (GitHub Advisory).

The vulnerability stems from sudo-rs incorrectly recording the invoking user's UID instead of the authenticated-as user's UID in the authentication timestamp. When Defaults targetpw or Defaults rootpw is enabled, the system uses the password of the target account (or root account) for authentication rather than the invoking user's password. However, the timestamp recording mechanism failed to properly track which user was actually authenticated (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score indicating moderate severity with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N.

The vulnerability allows a highly-privileged user who knows one password of an account they are allowed to run commands as to execute commands as any other account permitted by the policy, even without knowing the passwords for those accounts. A common exploitation scenario involves users still being able to use their own password to run commands as root, effectively negating the intended security behavior of the targetpw or rootpw options (GitHub Advisory).

The vulnerability has been patched in sudo-rs version 0.2.10. Ubuntu has released security updates for affected systems, with version 0.2.8-1ubuntu5.2 available for Ubuntu 25.10 (questing) (Ubuntu Security Notice). Users are advised to update their systems to the patched versions to address this security issue.