Improper Preservation of Permissions Affecting openssh package, versions <0:7.4p1-23.el7_9.2


Severity

Recommended
0.0
high
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

Social Trends
EPSS
0.42% (34th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL7-OPENSSH-17138905
  • published3 Jun 2026
  • disclosed2 Apr 2026

Introduced: 2 Apr 2026

CVE-2026-35385  (opens in a new tab)
CWE-281  (opens in a new tab)

How to fix?

Upgrade RHEL:7 openssh to version 0:7.4p1-23.el7_9.2 or higher.
This issue was patched in RHSA-2026:22468.

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).

CVSS Base Scores

version 3.1