{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-35385", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-02T16:30:59.107Z", "datePublished": "2026-04-02T16:30:59.615Z", "dateUpdated": "2026-04-03T03:55:44.273Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSH", "vendor": "OpenBSD", "versions": [{"lessThan": "10.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-281", "description": "CWE-281 Improper Preservation of Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:15:37.128Z"}, "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.3"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-35385"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T03:55:44.273Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T17:06:07.193778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:06:11.715Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenBSD", "product": "OpenSSH", "versions": [{"status": "affected", "version": "0", "lessThan": "10.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-281", "description": "CWE-281 Improper Preservation of Permissions"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-02T18:15:37.128Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35385", "state": "PUBLISHED", "dateUpdated": "2026-04-03T03:55:44.273Z", "dateReserved": "2026-04-02T16:30:59.107Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-02T16:30:59.615Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "F40F50BC-86AA-4D7F-88A5-A244CD7606F3", "versionEndExcluding": "10.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode)."}], "id": "CVE-2026-35385", "lastModified": "2026-04-27T14:02:23.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T17:16:27.450", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.openssh.org/releasenotes.html#10.3p1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-281"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode", "id": "2454469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454469"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-281", "details": ["In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "A flaw was found in OpenSSH. When the `scp` command is used by a root user to download a file with the legacy protocol option (`-O`) and without preserving original file permissions (`-p`), the downloaded file can be installed with elevated privileges (setuid or setgid). This unexpected behavior could allow a malicious file to execute with higher permissions than intended, posing a security risk through potential privilege escalation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-35385", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-02T16:30:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35385\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35385\nhttps://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2\nhttps://www.openssh.org/releasenotes.html#10.3p1\nhttps://www.openwall.com/lists/oss-security/2026/04/02/3"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSSH", "source": "cna", "vendor": "OpenBSD"}, "product": "openssh", "vendor": "openbsd"}], "analysis": {"en": {"generated_at": "2026-04-02T23:24:02.036806+00:00", "value": {"mitigation_remediation": ["Upgrade OpenSSH to version 10.3 or later", "Avoid running scp as root with the -O flag unless absolutely necessary", "Use the -p option to preserve file mode when file execution privileges are critical", "Verify that received files do not have unexpected setuid or setgid bits", "Restrict scp usage for privileged users to reduce exposure"], "summary": {"action": "Immediate Patch", "impact": "Setuid/Setgid Assignment via scp"}, "threat_synthesis": {"affected_systems": "All installations of OpenBSD OpenSSH released before version 10.3 are affected. The issue occurs when the OpenSSH client or server is invoked by a root user who utilizes scp with the -O flag and omits -p, leading to files that are set to run with setuid or setgid permissions on the destination host.", "description_and_impact": "OpenSSH versions prior to 10.3 allow a file transferred with scp to be installed with setuid or setgid bits when the command is executed as root using the legacy scp protocol flag -O and without the -p option to preserve mode. This unintended privilege assignment can cause the file to run with elevated permissions or under an unintended user identity, potentially enabling malicious code execution with higher authority than intended. The weakness is rooted in an improper handling of privilege settings during file transfer (CWE-281).", "risk_and_exploitability": "The flaw carries a CVSS score of 7.5, indicating high severity. EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker who can perform scp operations as root\u2014and has the ability to choose the -O flag and omit -p\u2014can transfer a crafted file that will be installed with elevated privileges, enabling local privilege escalation or the execution of code with unintended authority. The likely attack vector is inferred to be a root-initiated scp transfer employing the described flags."}}}}, "created": "2026-04-03T07:36:10.242357+00:00", "title": "Setuid/Setgid Elevation via scp in OpenSSH <10.3", "updated": "2026-04-03T09:18:32.371935+00:00", "vendors": ["openbsd", "openbsd$PRODUCT$openssh"]}