CVE-2026-35385
Setuid/Setgid Installation Vulnerability in OpenSSH scp Before
Publication date: 2026-04-02
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbsd | openssh | to 10.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-281 | The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using the legacy scp protocol option -O when downloading files as root without the -p option to preserve mode.
Consider upgrading OpenSSH to version 10.3 or later where this issue is resolved.
Can you explain this vulnerability to me?
This vulnerability exists in OpenSSH versions before 10.3. When using the scp command to download a file as root with the -O option (which uses the legacy scp protocol) and without the -p option (which preserves the file mode), the downloaded file may be installed with setuid or setgid permissions. This behavior can be unexpected and potentially dangerous because it grants elevated privileges to the downloaded file.
How can this vulnerability impact me? :
The impact of this vulnerability is that a file downloaded via scp could unintentionally have setuid or setgid bits set, which means the file could execute with elevated privileges. This can lead to privilege escalation, allowing an attacker or unintended user to gain higher access rights on the system, potentially compromising confidentiality, integrity, and availability.