CVE-2026-35385
Modified Modified - Updated After Analysis

Setuid/Setgid Installation Vulnerability in OpenSSH scp Before

Vulnerability report for CVE-2026-35385, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-02

Last updated on: 2026-07-02

Assigner: MITRE

Description

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-02
Last Modified
2026-07-02
Generated
2026-07-06
AI Q&A
2026-04-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openbsd openssh to 10.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-281 The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, avoid using the legacy scp protocol option -O when downloading files as root without the -p option to preserve mode.

Consider upgrading OpenSSH to version 10.3 or later where this issue is resolved.

Executive Summary

This vulnerability exists in OpenSSH versions before 10.3. When using the scp command to download a file as root with the -O option (which uses the legacy scp protocol) and without the -p option (which preserves the file mode), the downloaded file may be installed with setuid or setgid permissions. This behavior can be unexpected and potentially dangerous because it grants elevated privileges to the downloaded file.

Impact Analysis

The impact of this vulnerability is that a file downloaded via scp could unintentionally have setuid or setgid bits set, which means the file could execute with elevated privileges. This can lead to privilege escalation, allowing an attacker or unintended user to gain higher access rights on the system, potentially compromising confidentiality, integrity, and availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart