CVE-2026-35385

high

Description

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

References

https://www.openssh.org/releasenotes.html#10.3p1

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35385.json

https://bugzilla.redhat.com/show_bug.cgi?id=2454469

https://access.redhat.com/security/cve/CVE-2026-35385

https://access.redhat.com/errata/RHSA-2026:30089

https://access.redhat.com/errata/RHSA-2026:30088

https://access.redhat.com/errata/RHSA-2026:30087

https://access.redhat.com/errata/RHSA-2026:30078

https://access.redhat.com/errata/RHSA-2026:28887

https://access.redhat.com/errata/RHSA-2026:26542

https://access.redhat.com/errata/RHSA-2026:26528

https://access.redhat.com/errata/RHSA-2026:25181

https://access.redhat.com/errata/RHSA-2026:25096

https://access.redhat.com/errata/RHSA-2026:25063

https://access.redhat.com/errata/RHSA-2026:25044

https://access.redhat.com/errata/RHSA-2026:22648

https://access.redhat.com/errata/RHSA-2026:22564

https://access.redhat.com/errata/RHSA-2026:22468

https://access.redhat.com/errata/RHSA-2026:22329

https://access.redhat.com/errata/RHSA-2026:21398

https://access.redhat.com/errata/RHSA-2026:21298

https://access.redhat.com/errata/RHSA-2026:21275

https://access.redhat.com/errata/RHSA-2026:20040

https://access.redhat.com/errata/RHSA-2026:19219

https://access.redhat.com/errata/RHSA-2026:19069

https://access.redhat.com/errata/RHSA-2026:16059

https://access.redhat.com/errata/RHSA-2026:14937

https://access.redhat.com/errata/RHSA-2026:13383

https://access.redhat.com/errata/RHSA-2026:13381

https://access.redhat.com/errata/RHSA-2026:13380

https://access.redhat.com/errata/RHSA-2026:12389

Details

Source: Mitre, NVD

Published: 2026-04-02

Updated: 2026-07-02

Risk Information

CVSS v2

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00036