PatchSiren cyber security CVE debrief
CVE-2026-35385 OpenBSD CVE debrief
CVE-2026-35385 is a high-severity vulnerability in OpenSSH that allows a file downloaded by scp to be installed setuid or setgid, contrary to user expectations, when the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). This issue affects OpenSSH versions before 10.3. The vulnerability has a CVSS score of 7.5 and is considered high severity. The CVE was published on April 2, 2026, and last modified on June 30, 2026.
- Vendor
- OpenBSD
- Product
- OpenSSH
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-02
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-02
- Advisory updated
- 2026-06-30
Who should care
System administrators and security teams responsible for OpenSSH installations should be aware of this vulnerability. Affected systems include those using OpenSSH versions before 10.3, particularly if scp is used to download files as root. Red Hat has released several errata related to this vulnerability, indicating widespread impact.
Technical summary
The vulnerability exists in the scp functionality of OpenSSH, specifically when using the legacy protocol (-O) without preserving file modes (-p). When a file is downloaded as root under these conditions, it may be installed with setuid or setgid permissions, potentially leading to privilege escalation. The issue is addressed in OpenSSH version 10.3. The Common Vulnerabilities and Exposures (CVE) score is 7.5, indicating high severity. The vulnerability is tracked as CWE-281.
Defensive priority
High priority should be given to updating OpenSSH to version 10.3 or later. In the interim, restrict the use of scp with -O and -p options, especially for root users. Monitor systems for unexpected setuid or setgid files.
Recommended defensive actions
- Update OpenSSH to version 10.3 or later immediately.
- Restrict the use of scp with -O and without -p, especially for root users.
- Monitor systems for unexpected setuid or setgid files.
- Review and apply Red Hat errata RHSA-2026:12389 and others as necessary.
- Implement additional logging and monitoring to detect potential exploitation attempts.
Evidence notes
The CVE record and NVD detail provide comprehensive information about the vulnerability. Multiple Red Hat errata references indicate widespread impact and vendor response. The OpenSSH release notes and various advisories offer mitigation strategies and confirm the fix in version 10.3.
Official resources
-
CVE-2026-35385 CVE record
CVE.org
-
CVE-2026-35385 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.