Primary

Context

OpenSSH Legacy SCP Protocol Setuid and Setgid Vulnerability

Vulnerability

Patched

A vulnerability exists in OpenSSH versions prior to 10.3, where files downloaded using the SCP command in legacy mode (-O) as the root user, without the -p flag to preserve file modes, may inadvertently retain setuid or setgid permissions. This behavior contradicts user expectations and dates back to the original Berkeley RCP program.

Impact

Exploitation of this vulnerability can lead to unintended execution of files with elevated privileges, potentially allowing for unauthorized actions or access on the system.

Reproduction

To reproduce this vulnerability, download a file using SCP in legacy mode (-O) as the root user, and do not use the -p flag. The downloaded file will retain its setuid or setgid bits, contrary to typical expectations.

Remediation

Users can upgrade to OpenSSH 10.3 or later, where this issue has been addressed.

Added: Apr 2, 2026, 5:48 PM

Updated: Apr 2, 2026, 5:48 PM

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

5.1

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

5.1

threat

1.6

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenSSH Legacy SCP Protocol Setuid and Setgid Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

OpenSSH

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating