The project sudo-rs 0.2.10 has been released by the Trifecta Tech Foundation, which is developing variants of the sudo and su utilities written in Rust. This new version of sudo-rs is significant as it addresses two vulnerabilities that have been identified in the Ubuntu 25.10 distribution, which utilizes sudo-rs instead of the traditional sudo utility. Prior to this release, the sudo-rs code base successfully passed security audits conducted by NLnet in August 2023 and NGICore in August 2025.
The vulnerabilities that have been identified in sudo-rs 0.2.10 include CVE-2025-64517. This vulnerability allows a privileged user with permission to execute commands via sudo as other users or as root to run commands via sudo under a user whose password he does not know, even when additional settings requiring input of the target user’s password are enabled. This exploit is possible if the privileged user knows the password of at least one user for whom he is authorized to execute commands in the sudo settings.
The vulnerability is only relevant if the rootpw and targetpw flags are enabled in the sudoers settings, which are disabled by default and supported from version sudo-rs 0.2.5. Changing these settings should alter the behavior of sudo to require the target user’s password instead of the current user’s password. However, the vulnerability allows the privileged user to execute commands as root using their own password, bypassing the requirements set by the targetpw and rootpw flags.
The issue arises from the improper reflection of the user’s credentials in the timestamp files used for caching authentication details after a sudo authentication. This caching mechanism allows operations to be repeated within 15 minutes without requiring a password. When the targetpw or rootpw flag is set, the UID of the user running sudo is incorrectly written to the timestamp file instead of the authenticated user’s UID. This vulnerability has been rated with a medium severity score of 4.4 out of 10.