CVE-2026-35385
Published: 02 April 2026
Summary
CVE-2026-35385 is a high-severity Improper Preservation of Permissions (CWE-281) vulnerability in Openbsd Openssh. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OpenSSH scp flaw by requiring timely patching to version 10.3 or later, preventing unintended setuid/setgid permissions on downloaded files.
Enforces least privilege by prohibiting execution of scp as root, which is required for downloaded files to gain setuid/setgid bits enabling privilege escalation.
Establishes secure configuration settings for OpenSSH to disable legacy scp protocol or enforce mode preservation, mitigating the specific usage conditions of the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a software vulnerability in the scp client that can be exploited to place a malicious file with unintended setuid/setgid permissions, directly enabling privilege escalation to root.
NVD Description
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
Deeper analysisAI
CVE-2026-35385 affects OpenSSH versions before 10.3, specifically the scp command. The vulnerability arises when a file is downloaded using scp executed as root with the -O option (enabling the legacy scp protocol) and without the -p option (to preserve mode bits). In this scenario, the downloaded file may be installed with setuid or setgid permissions, contrary to some users' expectations. The issue is classified under CWE-281 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability over the network with no required privileges, though it demands high attack complexity and user interaction. The scenario involves tricking an administrator or root user into executing the vulnerable scp command with the specified flags to download a malicious file from a controlled remote server. Successful exploitation results in the file being placed with elevated setuid or setgid permissions, potentially enabling privilege escalation, unauthorized access, or execution of arbitrary code with root privileges, leading to high confidentiality, integrity, and availability impacts.
Advisories and release notes, including those from the OpenSSH development list, oss-security mailing list, and OpenSSH 10.3p1 release notes, recommend upgrading to OpenSSH 10.3 or later, where the behavior is fixed to prevent unintended setuid/setgid installation in this configuration.
Details
- CWE(s)