<Vulnerability name="CVE-2026-59996">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-08T00:07:07</PublicDate>
    <Bugzilla id="2497944" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497944" xml:lang="en:us">
openssh: OpenSSH: `scp` file misplacement vulnerability during remote copy
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>4.6</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in OpenSSH, a widely used tool for secure remote access. When a user attempts to copy files between two different remote systems using the `scp` command, the file might be incorrectly placed in a directory above the intended destination. This unintended file placement could lead to data integrity issues or, in some cases, unauthorized access to sensitive information if files are stored in an exposed location.
    </Details>
    <Statement xml:lang="en:us">
Conditions for Exploitation: Exploitation requires specific user actions and conditions, as the vulnerability only triggers when a user explicitly initiates a file copy between two remote destinations using the scp command.

Impact Limitations: The boundaries of the potential impact are highly contained. The flaw only results in unintended file placement within the parent directory of the target destination. It does not inherently lead to arbitrary code execution, denial of service, or privilege escalation, and any potential data exposure relies heavily on the existing permissions of the parent directory.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this issue, users should avoid performing `scp` operations directly between two remote destinations. Instead, consider copying files from the first remote host to a local machine, and then from the local machine to the second remote host. Alternatively, use `sftp` or `rsync` for remote file transfers, as these utilities are not affected by this specific vulnerability.
    </Mitigation>
    <AffectedRelease impact="moderate" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-09T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:37382">RHSA-2026:37382</Advisory>
        <Package name="openssh-main">openssh-main-10.4p1-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openssh</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openssh</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openssh</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openssh</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openssh</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-59996
https://nvd.nist.gov/vuln/detail/CVE-2026-59996
https://marc.info/?l=openssh-unix-dev&amp;m=178333966933090&amp;w=2
https://www.openssh.org/releasenotes.html#10.4p1
https://www.openwall.com/lists/oss-security/2026/07/06/5
    </References>
</Vulnerability>