CVE-2026-35385

EUVD-2026-18398
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
openbsdopenssh
𝑥
< 10.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssh
bookworm
1:9.2p1-2+deb12u10
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
1:8.4p1-5+deb11u7
fixed
forky
1:10.3p1-1
fixed
sid
1:10.3p1-2
fixed
trixie
1:10.0p1-7+deb13u4
fixed
trixie (security)
vulnerable
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssh
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-askpass
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-cavs
RHEL 8
0:8.0p1-29.el8_10
fixed
openssh-clients
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-keycat
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
openssh-ldap
RHEL 8
0:8.0p1-29.el8_10
fixed
openssh-server
RHEL 8
0:8.0p1-29.el8_10
fixed
RHEL 9
0:9.9p1-7.el9_8
fixed
pam
RHEL 8
0:0.10.3-7.29.el8_10
fixed
RHEL 9
0:0.10.4-7.7.el9_8
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2
https://www.openssh.org/releasenotes.html#10.3p1
https://www.openwall.com/lists/oss-security/2026/04/02/3