PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35385 OpenBSD CVE debrief

CVE-2026-35385 is a high-severity vulnerability in OpenSSH that allows a file downloaded by scp to be installed setuid or setgid, contrary to user expectations, when the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). This issue affects OpenSSH versions before 10.3. The vulnerability has a CVSS score of 7.5 and is considered high severity. The CVE was published on April 2, 2026, and last modified on June 30, 2026.

Vendor
OpenBSD
Product
OpenSSH
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-02
Original CVE updated
2026-06-30
Advisory published
2026-04-02
Advisory updated
2026-06-30

Who should care

System administrators and security teams responsible for OpenSSH installations should be aware of this vulnerability. Affected systems include those using OpenSSH versions before 10.3, particularly if scp is used to download files as root. Red Hat has released several errata related to this vulnerability, indicating widespread impact.

Technical summary

The vulnerability exists in the scp functionality of OpenSSH, specifically when using the legacy protocol (-O) without preserving file modes (-p). When a file is downloaded as root under these conditions, it may be installed with setuid or setgid permissions, potentially leading to privilege escalation. The issue is addressed in OpenSSH version 10.3. The Common Vulnerabilities and Exposures (CVE) score is 7.5, indicating high severity. The vulnerability is tracked as CWE-281.

Defensive priority

High priority should be given to updating OpenSSH to version 10.3 or later. In the interim, restrict the use of scp with -O and -p options, especially for root users. Monitor systems for unexpected setuid or setgid files.

Recommended defensive actions

  • Update OpenSSH to version 10.3 or later immediately.
  • Restrict the use of scp with -O and without -p, especially for root users.
  • Monitor systems for unexpected setuid or setgid files.
  • Review and apply Red Hat errata RHSA-2026:12389 and others as necessary.
  • Implement additional logging and monitoring to detect potential exploitation attempts.

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability. Multiple Red Hat errata references indicate widespread impact and vendor response. The OpenSSH release notes and various advisories offer mitigation strategies and confirm the fix in version 10.3.

Official resources

This article is AI-assisted and based on the supplied source corpus.