OpenSSH <10.3 Setuid/Gid Escalation via SCP -O (no -p)
CVE-2026-35385 Published on April 2, 2026
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Vulnerability Analysis
CVE-2026-35385 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Preservation of Permissions
The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Products Associated with CVE-2026-35385
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-35385 are published in these products:
Affected Versions
OpenBSD OpenSSH:- Before 10.3 is affected.
- Version 0:9.9p1-14.el10_1 and below * is unaffected.
- Version 0:9.9p1-23.el10_2 and below * is unaffected.
- Version 0:9.9p1-7.el10_0.3 and below * is unaffected.
- Version 0:5.3p1-125.el6_10.1 and below * is unaffected.
- Version 0:7.4p1-23.el7_9.2 and below * is unaffected.
- Version 0:8.0p1-29.el8_10 and below * is unaffected.
- Version 0:8.0p1-7.el8_4.2 and below * is unaffected.
- Version 0:8.0p1-7.el8_4.2 and below * is unaffected.
- Version 0:8.0p1-15.el8_6.5 and below * is unaffected.
- Version 0:8.0p1-15.el8_6.5 and below * is unaffected.
- Version 0:8.0p1-15.el8_6.5 and below * is unaffected.
- Version 0:8.0p1-20.el8_8.4 and below * is unaffected.
- Version 0:8.0p1-20.el8_8.4 and below * is unaffected.
- Version 0:8.7p1-49.el9_7 and below * is unaffected.
- Version 0:9.9p1-7.el9_8 and below * is unaffected.
- Version 0:8.7p1-30.el9_2.11 and below * is unaffected.
- Version 0:8.7p1-38.el9_4.8 and below * is unaffected.
- Version 0:8.7p1-45.el9_6.3 and below * is unaffected.
- Version 412.86.202606140301-0 and below * is unaffected.
- Version 413.92.202606160406-0 and below * is unaffected.
- Version 414.92.202606231112-0 and below * is unaffected.
- Version 415.92.202606200237-0 and below * is unaffected.
- Version 416.94.202606051757-0 and below * is unaffected.
- Version 417.94.202606250942-0 and below * is unaffected.
- Version 418.94.202606051320-0 and below * is unaffected.
- Version 4.19.9.6.202605201155-0 and below * is unaffected.
- Version 1780681984 and below * is unaffected.
- Version 1782352950 and below * is unaffected.
- Version 1782352919 and below * is unaffected.
- Version 1782353093 and below * is unaffected.
- Version 1782352847 and below * is unaffected.
- Version 1778101579 and below * is unaffected.
- Version 1778156756 and below * is unaffected.
- Version 1779798165 and below * is unaffected.
- Version 1779798222 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.