diff --git a/openssh-9.9p1-scp-clear-setuid.patch b/openssh-9.9p1-scp-clear-setuid.patch
new file mode 100644
index 0000000..1a848a1
--- /dev/null
+++ b/openssh-9.9p1-scp-clear-setuid.patch
@@ -0,0 +1,15 @@
+diff --color -ruNp a/scp.c b/scp.c
+--- a/scp.c	2026-04-07 15:54:11.193730842 +0200
++++ b/scp.c	2026-04-07 15:55:52.529425481 +0200
+@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char *
+ 
+ 	setimes = targisdir = 0;
+ 	mask = umask(0);
+-	if (!pflag)
++	if (!pflag) {
++		mask |= 07000;
+ 		(void) umask(mask);
++	}
+ 	if (argc != 1) {
+ 		run_err("ambiguous target");
+ 		exit(1);
diff --git a/openssh.spec b/openssh.spec
index 2a05f37..122ce9c 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -249,6 +249,8 @@ Patch1038: openssh-9.9p1-reject-null-char-in-url-string.patch
 Patch1039: openssh-9.9p1-compat-mlkem.patch
 # https://github.com/openssh/openssh-portable/pull/649
 Patch1040: openssh-9.9p1-fill-default-options-error.patch
+# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
+Patch1041: openssh-9.9p1-scp-clear-setuid.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -463,6 +465,7 @@ popd
 %patch1038 -p1 -b .reject-null-char-in-url-string
 %patch1039 -p1 -b .skip-mlkem-when-na
 %patch1040 -p1 -b .fill-default-options-error
+%patch1041 -p1 -b .scp-clear-setuid
 
 %patch100 -p1 -b .coverity
 
@@ -758,6 +761,9 @@ test -f %{sysconfig_anaconda} && \
   Resolves: RHEL-163366
 - Ssh should refuse connection when mlkem kex is specified in FIPS
   Resolves: RHEL-155161
+- CVE-2026-35385: Fix privilege escalation via scp legacy protocol
+  when not in preserving file mode
+  Resolves: RHEL-164754
 
 * Thu Mar 26 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-7 + 0.10.4-9
 - Version bump