In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
https://www.openssh.org/releasenotes.html#10.3p1
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35385.json
https://bugzilla.redhat.com/show_bug.cgi?id=2454469
https://access.redhat.com/security/cve/CVE-2026-35385
https://access.redhat.com/errata/RHSA-2026:30089
https://access.redhat.com/errata/RHSA-2026:30088
https://access.redhat.com/errata/RHSA-2026:30087
https://access.redhat.com/errata/RHSA-2026:30078
https://access.redhat.com/errata/RHSA-2026:28887
https://access.redhat.com/errata/RHSA-2026:26542
https://access.redhat.com/errata/RHSA-2026:26528
https://access.redhat.com/errata/RHSA-2026:25181
https://access.redhat.com/errata/RHSA-2026:25096
https://access.redhat.com/errata/RHSA-2026:25063
https://access.redhat.com/errata/RHSA-2026:25044
https://access.redhat.com/errata/RHSA-2026:22648
https://access.redhat.com/errata/RHSA-2026:22564
https://access.redhat.com/errata/RHSA-2026:22468
https://access.redhat.com/errata/RHSA-2026:22329
https://access.redhat.com/errata/RHSA-2026:21398
https://access.redhat.com/errata/RHSA-2026:21298
https://access.redhat.com/errata/RHSA-2026:21275
https://access.redhat.com/errata/RHSA-2026:20040
https://access.redhat.com/errata/RHSA-2026:19219
https://access.redhat.com/errata/RHSA-2026:19069
https://access.redhat.com/errata/RHSA-2026:16059
https://access.redhat.com/errata/RHSA-2026:14937
https://access.redhat.com/errata/RHSA-2026:13383
https://access.redhat.com/errata/RHSA-2026:13381