VDB
GCVE-110-MAGEIA-2026-193
GCVE-110-MAGEIA-2026-193
Advisory Published
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid
or setgid, an outcome contrary to some users' expectations, if the
download is performed as root with -O (legacy scp protocol) and without
-p (preserve mode). (CVE-2026-35385)
In OpenSSH before 10.3, command execution can occur via shell
metacharacters in a username within a command line. This requires a
scenario where the username on the command line is untrusted, and also
requires a non-default configurations of % in ssh_config.
(CVE-2026-35386)
OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any
ECDSA algorithm in PubkeyAcceptedAlgorithms or
HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA
algorithms. (CVE-2026-35387)
OpenSSH before 10.3 omits connection multiplexing confirmation for
proxy-mode multiplexing sessions. (CVE-2026-35388)
OpenSSH before 10.3 mishandles the authorized_keys principals option in
uncommon scenarios involving a principals list in conjunction with a
Certificate Authority that makes certain use of comma characters.
(CVE-2026-35414)
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | openssh | 0 (affected), 9.3p1-2.7.mga9 (unaffected) | — |
References
Browse GCVE Records
72,580 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.