CVE-2026-35385

Publication date 2 April 2026

Last updated 6 July 2026


Ubuntu priority

Cvss 3 Severity Score

7.5 · High

Score breakdown

Description

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

Read the notes from the security team

Status

Package Ubuntu Release Status
openssh 26.04 LTS resolute
Fixed 1:10.2p1-2ubuntu3.2
25.10 questing
Fixed 1:10.0p1-5ubuntu5.4
24.04 LTS noble
Fixed 1:9.6p1-3ubuntu13.16
22.04 LTS jammy
Fixed 1:8.9p1-3ubuntu0.15
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Fixed 1:7.2p2-4ubuntu2.10+esm8
14.04 LTS trusty
Needs evaluation
openssh-ssh1 26.04 LTS resolute Ignored
25.10 questing Ignored
24.04 LTS noble Ignored
22.04 LTS jammy Ignored
20.04 LTS focal Ignored
18.04 LTS bionic Ignored

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes


mdeslaur

openssh-ssh1 is only provided for compatibility with old devices that cannot be upgraded to modern protocols. We will not be providing any security support for the openssh-ssh1 package as it is insecure and should be used in trusted environments only.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
openssh

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.5 · High

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references


Access our resources on patching vulnerabilities