OpenSSH <10.3 Setuid/Gid Escalation via SCP -O (no -p)
CVE-2026-35385 Published on April 2, 2026
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Vulnerability Analysis
CVE-2026-35385 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Preservation of Permissions
The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Products Associated with CVE-2026-35385
stack.watch emails you whenever new vulnerabilities are published in OpenBSD OpenSSH or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
OpenBSD OpenSSH:- Before 10.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.