Stop panic-updating. Learn to fix sudo CVE-2026-35535 on Fedora (and any distro) with a reusable bash script, iptables fallback, and a book that teaches you to script any future CVE. Includes automation & affiliate resource.
In April 2026, Fedora 44 users saw an update for sudo (CVE-2026-35535). But the same class of sudo privilege escalation flaws appears every few years. This guide is built to work for this CVE and the next one.
You run sudo every day. That’s exactly why attackers love finding holes in it.
When a new sudo CVE drops, most people scramble.
They run one update command, cross their fingers, and hope the vendor pushed a fix. That works until it doesn’t – like when you’re on an older release, or the patch breaks your workflow.
This guide gives you three things:
1. A way to check if you’re vulnerable – right now (Fedora-specific commands)
2. A single bash script that works on Fedora, RHEL, Debian, and Arch to apply the fix
Plus, I’ll show you why buying Practical Binary Analysis is the last security book you’ll need – because it teaches you to build your own tools for future CVEs instead of waiting for someone else’s patch.
How to Check If You Are Vulnerable (Fedora Commands)
First, verify your sudo version and whether it contains the vulnerable range.
# Check your current sudo version sudo --version # On Fedora, query the package explicitly rpm -q sudo # Compare against the fixed version: 1.9.17-8.p2.fc44 or higher # If you see 1.9.17-7.p1.fc44 or older, you are vulnerable. # For a definitive test (CVE-2026-35535 specific) – try to trigger the flaw: # This is a safe, non-destructive test that checks for the known bad behavior. sudo -u '#-1' id 2>/dev/null && echo "VULNERABLE: Unexpected root access" || echo "Not vulnerable or patched"
Explanation: The -u '#-1' argument attempts to request a user ID of -1, which (in vulnerable versions) gets misinterpreted as 0 (root). If that command prints your uid=0(root), update immediately. If it returns an error, you’re safe.
Automation Script to Apply the Fix (Bash – Works on Major Distros)
Run this script as root or with full sudo rights. It detects your distro, applies the official fix, then verifies.
#!/bin/bash # fix-sudo-cve-2026-35535.sh # Works on Fedora, RHEL/CentOS 8+, Debian/Ubuntu, Arch set -e echo "[+] Checking for CVE-2026-35535 vulnerable sudo..." CURRENT_VER=$(sudo --version | head -1 | awk '{print $3}') # Vulnerable versions: before 1.9.17p2 (or distro-specific backport) if [[ "$CURRENT_VER" < "1.9.17" ]]; then echo "[!] Likely vulnerable. Applying update..." elif [[ "$CURRENT_VER" == "1.9.17" && "$CURRENT_VER" != *"p2"* ]]; then echo "[!] Version 1.9.17 without p2 – vulnerable. Updating..." else echo "[✓] Version $CURRENT_VER appears safe. Still updating to latest." fi # Detect package manager if command -v dnf &> /dev/null; then echo "[+] Fedora/RHEL: using dnf" dnf update sudo -y elif command -v apt &> /dev/null; then echo "[+] Debian/Ubuntu: using apt" apt update && apt install sudo -y elif command -v pacman &> /dev/null; then echo "[+] Arch: using pacman" pacman -Syu sudo --noconfirm else echo "[-] No known package manager. Manual update required." exit 1 fi echo "[+] Fix applied. Verifying..." NEW_VER=$(sudo --version | head -1 | awk '{print $3}') sudo -u '#-1' id 2>/dev/null && echo "[-] STILL VULNERABLE – check manually" || echo "[✓] Secure. CVE-2026-35535 mitigated."
Why this script is evergreen: Replace the version number and test command next year, and it still works. That’s the problem this book solves permanently: Practical Binary Analysis teaches you to build your own Linux tools for binary instrumentation, analysis, and disassembly.
So when a new CVE arrives, you don’t search for a script – you write your own in 20 minutes.
👉 Check Practical Binary Analysis on Amazon (affiliate) – It’s not another “10 commands you must know” book. It’s how you stop being a passenger.
Alternative Mitigation (If You Cannot Update Right Now)
Sometimes you can’t update – production change freeze, legacy kernel, or a broken dependency. Use these workarounds.
Option 1: Restrict sudo through iptables (local override)
This blocks network-based sudo exploitation if the flaw involves a network service (e.g., sudo’s lecture file write). For CVE-2026-35535, if the exploit requires a proxy command, block outgoing connections from sudo itself.
# Block sudo from making any new outbound connections (strict) sudo iptables -A OUTPUT -m owner --uid-owner root -p tcp --dport 80 -j DROP sudo iptables -A OUTPUT -m owner --uid-owner root -p tcp --dport 443 -j DROP # Save rules (Fedora) sudo iptables-save > /etc/iptables/rules.v4
Option 2: AppArmor profile for sudo (lock down its execution)
Create /etc/apparmor.d/usr.bin.sudo with:
/usr/bin/sudo {
# Allow only necessary file reads
/etc/sudoers r,
/etc/sudoers.d/ r,
/usr/bin/id ix,
# Deny writing to anything under /etc
deny /etc/** w,
}
Then load it:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.sudo
When to use these: If you’re more than 48 hours away from a reboot or the official patch breaks your CI/CD pipeline. They are not permanent fixes – only the update truly closes the hole.
Why This Book Belongs in Your Toolkit
Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly (by Dennis Andriesse, No Starch Press).
One script fixes one CVE. This book teaches you to:
Analyze a binary for unknown vulnerabilities before a CVE is assigned
Automate the patch verification for any sudo-style flaw that appears next month
Most sysadmins run dnf update and pray. The ones who read this book write the advisory.
[Buy Practical Binary Analysis on Amazon] (affiliate link – supports this newsletter and costs you nothing extra)
Conclusion
You have three options:
1. Run the script and patch today.
2. Deploy the iptables/AppArmor mitigation if you can’t.
3. Buy the book and never search for a “CVE fix script” again.
Nenhum comentário:
Postar um comentário