Main Vulnerability Database Vulnerabilities #VU128475

Improper privilege management in OpenSSH - CVE-2026-35385

Published: April 29, 2026

Vulnerability identifier: #VU128475

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35385

CWE-ID: CWE-269

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenSSH

Affected software:
OpenSSH

Detailed vulnerability description

The vulnerability allows a local privileged user to create files with unintended setuid or setgid bits.

The vulnerability exists due to improper privilege management in scp(1) when downloading files in legacy (-O) mode as root without the -p flag set. A local privileged user can download a file with crafted mode bits to create files with unintended setuid or setgid bits.

The issue occurs only in legacy mode and only when files are downloaded as root without preserving modes.

How to mitigate CVE-2026-35385

Install security update from vendor's website.

Sources

https://www.openssh.org/releasenotes.html#10.3

Improper privilege management in OpenSSH - CVE-2026-35385

Detailed vulnerability description

How to mitigate CVE-2026-35385

Sources

Please verify you're human