CVE-2026-35385

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.3

Description When using the -O option with the legacy scp protocol as root without the -p option, a downloaded file may be installed with setuid or setgid permissions, which may not align with user expectations.

Recommendations Update to version 10.3 or later.

Fix

Improper Preservation of Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-281

Related Identifiers

ALSA-2026:13380

ALSA-2026:13381

ALSA-2026:13383

ALSA-2026:19069

ALSA-2026:19219

CVE-2026-35385

ECHO-13E9-2447-AE62

JLSEC-2026-74

OESA-2026-1963

OPENSUSE-SU-2026:10804-1

RHSA-2026:12389

RHSA-2026:13380

RHSA-2026:13381

RHSA-2026:13383

RHSA-2026:16059

RHSA-2026:19069

RHSA-2026:19219

USN-8222-1

Affected Products

Ibm Aix

Linuxmint

Openssh

Rocky Linux

Ubuntu

CVE-2026-35385

Weakness Enumeration

Related Identifiers

Affected Products

References · 66