CVE-2026-35385

HIGH

OpenSSH <10.3 - Privilege Escalation

Title source: llm

Description

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

References (3)

https://www.openssh.org/releasenotes.html#10.3p1

https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2

https://www.openwall.com/lists/oss-security/2026/04/02/3

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 11.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-281

Status published

Products (2)

OpenBSD/OpenSSH < 10.3

openbsd/openssh < 10.3

Published Apr 02, 2026

Tracked Since Apr 02, 2026