CVE-2025-64170
Publication date 12 November 2025
Last updated 19 November 2025
Ubuntu priority
Description
sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rust-sudo-rs | 25.10 questing |
Fixed 0.2.8-1ubuntu5.2
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy | Not in release |
Notes
rodrigo-zaiden
passwords timeouts were added in sudo-rs 0.2.7, so versions prior to that are not affected. USN-7867-1 references LP bug 2130623 but not the CVE because the CVE was assigned later than the package update publication, but it refers to the fix for this issue on questing.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.8 · Low
|
| Attack vector | Physical |
| Attack complexity | High |
| Privileges required | High |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N |