Hi Lace,
I’m going to share some information here which I hope will be helpful. I’m not sure if you are a “noob” with regards to administering computers in general or just with QubesOS in particular. It sounds like your situation requires that you have some understanding of how the computer works in order to keep your environment secure from the particular threat you face so I am going to point you to resources that have useful information, but I’m not going to point you to a “one size fits all” solution.
If escalation from user to admin is a concern for you then you will need to do more than mitigate this exploit because the default QubesOS security model assumes that user-to-admin is not a concern. This page explains why, and also includes instructions for disabling passwordless sudo. The community does not unanimously agree with passwordless sudo, but it seems to work well for most people as a default (keep in mind there is a significant sample bias to which people end up posting on this forum, and an even stronger sample bias to which forum users will decide to post on that particular thread, so the discussion there is not necessarily representative of the QubesOS community as a whole). It is possible that disabling passwordless sudo will prevent this issue from being exploitable but I have not looked at it closely enough to be sure.
Personally, based on what you have shared about the relevant threat I’m not sure if preventing user-to-root within a VM is something that you need to be concerned about. It is more of a concern for well-funded adversaries (state actors, global crime rings, etc) than for individual attackers even if they are skilled. However, if you have some reason to believe that this person might be able to access the resources of a well-funded adversary then preventing user-to-root would be a sensible precaution in my view.
For this exploit in particular, my base expectation would be that the same mitigation would apply to a Debian VM running in QubesOS but I would not be certain that it does. I would check that the mitigation works by trying the exploit before and after applying it (to confirm that I performed the exploit and applied the mitigation correctly, respectively). The article you shared does not include an exploit; my default source for reliable information about CVEs is NIST. The NIST page for this CVE has multiple links tagged as containing an exploit. It also contains links to the vulnerability announcements for Debian and Fedora. If I was mitigating this vulnerability, I would check for its presence in all templates (including Whonix if you use it).
Regards,
Skyler