CVE-2026-0964 is a path traversal vulnerability affecting the SCP client in Red Hat Enterprise Linux 10. The flaw arises because the SCP client does not properly restrict pathname inputs received from the SCP server, allowing a malicious server to send crafted file paths that escape the intended working directory. This can cause the client to overwrite arbitrary files on the local system, including executable or configuration files. Such overwrites can lead to privilege escalation or execution of malicious code if the user subsequently runs these files. The vulnerability mirrors the previously known CVE-2019-6111 in OpenSSH, indicating a recurring issue in SCP implementations. Exploitation requires the user to initiate an SCP session with a malicious server, making user interaction necessary. The attack complexity is high because the attacker must control or impersonate an SCP server and craft specific payloads. The vulnerability impacts confidentiality, integrity, and availability by allowing unauthorized file modification and potential code execution. No known exploits are currently in the wild, and no patches have been explicitly linked yet, but Red Hat is tracking and addressing the issue. The vulnerability is scored at 5.0 (medium severity) under CVSS 3.0, reflecting its moderate risk profile.

The vulnerability allows a malicious SCP server to overwrite arbitrary files on a client system, potentially leading to unauthorized code execution or system misconfiguration. This can compromise system integrity and availability, and to a lesser extent confidentiality if sensitive files are overwritten or replaced. Organizations relying on SCP for secure file transfers, especially in automated or scripted environments, face risks of supply chain compromise or lateral movement by attackers. The requirement for user interaction limits large-scale automated exploitation but targeted attacks against high-value systems remain a concern. The impact is particularly significant for environments where SCP is used to transfer critical executables or configuration files, such as in DevOps pipelines, system administration, or cloud infrastructure management. Although no exploits are known in the wild, the vulnerability could be leveraged in phishing or social engineering attacks to trick users into connecting to malicious SCP servers.

1. Apply official patches from Red Hat as soon as they become available to address the vulnerability in the SCP client. 2. Until patches are applied, avoid using SCP to transfer files from untrusted or unknown servers. 3. Prefer alternative secure file transfer methods such as SFTP or rsync over SSH, which are not affected by this specific issue. 4. Implement strict network controls and monitoring to detect and block connections to suspicious SCP servers. 5. Employ file integrity monitoring on critical systems to detect unauthorized file modifications. 6. Educate users and administrators about the risks of connecting to untrusted SCP servers and the importance of verifying server authenticity. 7. Review and restrict SCP usage in automated scripts or CI/CD pipelines to trusted sources only. 8. Consider deploying endpoint protection solutions capable of detecting anomalous file writes or execution of unexpected binaries.