Version numbers are meaningless. Yes it’s mostly fixes, but in every release which doesn’t have p in the version number there’s at least two or three things which are not fixes. As late as 2023 one of those changes did introduce a local privilege escalation: https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 which was undetected for two years. For a critical piece of software with the maturity of sudo, I call that pretty concerning.

Here’s an interesting report from Google about rust vs C++ in Android: https://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html?m=1

I would say yes is it developed, this is more than just big fixes : https://github.com/sudo-project/sudo/releases

No huge changes of course, but the big CVE from July was only introduced 2 years ago.

My biggest question is, why is something like sudo still developed and not finished and in maintenance mode?

Sudo is being actively developed and has several fairly recent CVEs, some of which are memory issues (at least recent compared to how old sudo is). Apart from being memory safe rust is also better at error handling than C.

IMO best would be to reduce attack surface by using a memory safe language and also reducing complex features like OpenBSD’s doas does.

https://www.cvedetails.com/vulnerability-list/vendor_id-15714/Sudo-Project.html?page=1&order=3