{"id":"USN-8514-1","summary":"openssh vulnerability","details":"It was discovered that OpenSSH incorrectly handled file permissions when\ndownloading files as root using the legacy scp protocol without the\npreserve-mode option. An attacker could use this to install setuid or setgid\nfiles on a system, possibly leading to privilege escalation.","modified":"2026-07-06T20:44:28.013228003Z","published":"2026-07-06T14:32:58Z","related":["UBUNTU-CVE-2026-35385"],"upstream":["CVE-2026-35385","UBUNTU-CVE-2026-35385"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8514-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-35385"}],"affected":[{"package":{"name":"openssh","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/openssh?arch=source&distro=esm-infra-legacy%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:7.2p2-4ubuntu2.10+esm8"}]}],"versions":["1:6.9p1-2","1:6.9p1-3","1:7.1p1-1","1:7.1p1-3","1:7.1p1-4","1:7.1p1-6","1:7.1p2-1","1:7.1p2-2","1:7.2p1-1","1:7.2p2-1","1:7.2p2-2","1:7.2p2-3","1:7.2p2-4","1:7.2p2-4ubuntu1","1:7.2p2-4ubuntu2.1","1:7.2p2-4ubuntu2.2","1:7.2p2-4ubuntu2.4","1:7.2p2-4ubuntu2.5","1:7.2p2-4ubuntu2.6","1:7.2p2-4ubuntu2.7","1:7.2p2-4ubuntu2.8","1:7.2p2-4ubuntu2.10","1:7.2p2-4ubuntu2.10+esm1","1:7.2p2-4ubuntu2.10+esm2","1:7.2p2-4ubuntu2.10+esm3","1:7.2p2-4ubuntu2.10+esm4","1:7.2p2-4ubuntu2.10+esm5","1:7.2p2-4ubuntu2.10+esm6","1:7.2p2-4ubuntu2.10+esm7"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro","binaries":[{"binary_version":"1:7.2p2-4ubuntu2.10+esm8","binary_name":"openssh-client"},{"binary_version":"1:7.2p2-4ubuntu2.10+esm8","binary_name":"openssh-client-ssh1"},{"binary_version":"1:7.2p2-4ubuntu2.10+esm8","binary_name":"openssh-server"},{"binary_version":"1:7.2p2-4ubuntu2.10+esm8","binary_name":"openssh-sftp-server"},{"binary_version":"1:7.2p2-4ubuntu2.10+esm8","binary_name":"ssh"},{"binary_version":"1:7.2p2-4ubuntu2.10+esm8","binary_name":"ssh-askpass-gnome"},{"binary_version":"1:7.2p2-4ubuntu2.10+esm8","binary_name":"ssh-krb5"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-35385"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8514-1.json"}}],"schema_version":"1.7.5"}