CVE-2025-61984
ssh allows control characters in usernames that originate from certain
possibly untrusted sources, potentially leading to code execution when a
ProxyCommand is used.
CVE-2025-61985
ssh allows the '\0' character in an ssh:// URI, potentially leading to code
execution when a ProxyCommand is used.
CVE-2026-35385
When downloading files as root in legacy (-O) mode and without the -p
(preserve modes) flag set, scp did not clear setuid/setgid bits from
downloaded files as one might typically expect. This bug dates back to the
original Berkeley rcp program. Reported by Christos Papakonstantinou of
Cantina and Spearbit.
CVE-2026-35386
Validation of shell metacharacters in user names supplied on the
command-line was performed too late to prevent some situations where they
could be expanded from %-tokens in ssh_config. For certain configurations,
such as those that use a "%u" token in a "Match exec" block, an attacker
Get the latest Linux and open source security news straight to your inbox.