CVE-2026-35385 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-35385 PUBLISHED CVSS 7.5 HIGH

Reported by mitre · Published April 2, 2026

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
OpenBSD	OpenSSH	0
openbsd	openssh	0
OpenBSD	OpenSSH	0

Timeline

Apr 2, 2026 CVE Published
Apr 2, 2026 PoC Published
Apr 2, 2026 CVE Updated
Apr 2, 2026 PoC Published
Apr 2, 2026 PoC Published
Apr 2, 2026 PoC Published
May 1, 2026 Distribution Patch
May 1, 2026 Security Advisory
May 4, 2026 Distribution Patch
May 4, 2026 Security Advisory
May 4, 2026 Distribution Patch
May 4, 2026 Security Advisory

References

Open in Interactive Console →