Platform
linux
Component
openssh
Fixed in
10.3
CVE-2026-35385 affects OpenSSH versions prior to 10.3. This vulnerability arises when using the legacy scp protocol (-O) with root privileges and without preserving mode (-p). The consequence is that files downloaded via scp may be inadvertently installed with elevated setuid or setgid permissions, potentially granting attackers unintended access and control. The vulnerability is resolved in OpenSSH 10.3.
The core impact of CVE-2026-35385 lies in the potential for privilege escalation. If an attacker can initiate an scp transfer as root (e.g., through a compromised account or misconfigured system), and the downloaded file is subsequently executed or accessed, it will inherit the elevated permissions of setuid or setgid. This could allow the attacker to bypass standard user restrictions and execute commands with root privileges. The risk is amplified if the downloaded file is a script or executable that is automatically run upon installation. The -p flag is designed to prevent this, but its omission creates the vulnerability. The blast radius is significant, as a successful exploitation could grant complete control over the affected system. While no direct precedent exists for this exact scenario, it shares similarities with vulnerabilities where file permissions are mishandled during transfer or installation, leading to unintended privilege elevation.
CVE-2026-35385 was published on April 2, 2026. Its severity is rated as High (CVSS 7.5). As of the publication date, there is no indication that this vulnerability is actively being exploited in the wild. There are currently no publicly available Proof-of-Concept (POC) exploits. The vulnerability is not listed on CISA KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Score System) score is likely to be low initially, but could increase if a public exploit is released.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35385 is to upgrade OpenSSH to version 10.3 or later. If an immediate upgrade is not feasible, consider disabling the legacy scp protocol (-O) if it's not essential. Alternatively, ensure that the -p (preserve mode) flag is always used when performing scp transfers as root. This prevents the file from inheriting the root user's permissions during installation. Implement strict file permission controls on the target system to minimize the impact of any potential exploitation. Monitor system logs for unusual scp activity, particularly transfers initiated by root users. Consider using a Web Application Firewall (WAF) or proxy to inspect and filter scp traffic, although this is less common and may introduce performance overhead. After upgrading, confirm the fix by attempting an scp transfer as root with the -O flag and verifying that the downloaded file does not receive setuid or setgid permissions.
Actualice OpenSSH a la versión 10.3 o posterior. Esto corrige la vulnerabilidad que permite que los archivos descargados con scp se instalen con permisos setuid o setgid de forma inesperada al usar la opción -O (protocolo scp heredado) como root y sin la opción -p (preservar modo).
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability in OpenSSH versions before 10.3 that allows files downloaded via scp as root to be installed with setuid/setgid permissions, potentially leading to privilege escalation.
If you're running OpenSSH versions 0 through 10.2, you are potentially affected. Check your OpenSSH version and upgrade if necessary.
Upgrade OpenSSH to version 10.3 or later. If upgrading isn't possible immediately, disable the legacy scp protocol (-O) or always use the -p (preserve mode) flag.
As of the publication date, there's no evidence of active exploitation, and no public POCs are available.
Refer to the official OpenSSH security advisory and the NVD entry for CVE-2026-35385 for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.