Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.
Here’s an interesting report from Google about rust vs C++ in Android: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html?m=1