CVE-2026-35385 identifies a vulnerability in OpenSSH versions before 10.3 related to improper preservation of file permissions during scp file transfers using the legacy protocol (-O). When a file is downloaded as root without the -p (preserve mode) option, the scp client may inadvertently install the file with setuid or setgid bits set. This behavior contradicts user expectations and security best practices, as it can allow the transferred file to execute with elevated privileges. The root cause is a failure to correctly sanitize or reset permission bits on files transferred via scp under these specific conditions. The vulnerability is classified under CWE-281, which concerns improper preservation of permissions. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation requires an attacker to convince a root user to perform an scp download using the legacy protocol without preserving mode, which could be achieved via social engineering or malicious file hosting. Although no known exploits have been reported, the potential for privilege escalation makes this a significant risk. The vulnerability affects all OpenSSH deployments prior to version 10.3 that use the legacy scp protocol and root user downloads without the -p option. The lack of patch links suggests the fix is included in version 10.3 or later. This vulnerability highlights the risks of legacy protocol usage and the importance of strict permission handling in secure file transfer tools.

The vulnerability can lead to unauthorized privilege escalation by allowing files transferred via scp to be installed with setuid or setgid bits, enabling attackers to execute code with elevated privileges. This compromises system confidentiality, integrity, and availability. Organizations relying on OpenSSH for secure file transfers, especially those automating root-level scp operations or using legacy protocols, face increased risk of system compromise. Attackers could leverage this flaw to gain persistent root access, deploy malware, or disrupt critical services. The impact extends to any environment where OpenSSH is used, including enterprise servers, cloud infrastructure, and embedded systems. Given the high CVSS score and potential for privilege escalation, the vulnerability poses a serious threat to organizational security posture worldwide.

1. Upgrade OpenSSH to version 10.3 or later, where this vulnerability is addressed. 2. Avoid using the legacy scp protocol (-O) for file transfers; prefer the default scp or sftp protocols that handle permissions securely. 3. When performing scp downloads as root, always use the -p option to preserve file modes explicitly and prevent unintended permission changes. 4. Implement strict file permission auditing and monitoring on systems to detect unexpected setuid or setgid files. 5. Restrict root usage for scp transfers where possible; use least privilege principles and non-root accounts. 6. Educate users and administrators about the risks of legacy protocol usage and the importance of secure file transfer practices. 7. Employ network-level controls to limit exposure of SSH services to trusted hosts and networks. 8. Review and harden SSH server configurations to disable legacy or insecure options.