CVE-2026-41035

EUVD-2026-23215
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
sambarsync
3.0.1 ≤
𝑥
≤ 3.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rsync
bookworm
3.2.7-1+deb12u6
fixed
bookworm (security)
3.2.7-1+deb12u5
fixed
bullseye
unimportant
bullseye (security)
3.2.3-4+deb11u4
fixed
forky
3.4.4+ds1-1
fixed
sid
3.4.4+ds1-1
fixed
trixie
3.4.1+ds1-5+deb13u4
fixed
trixie (security)
3.4.1+ds1-5+deb13u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rsync
bionic
Fixed 3.1.2-2.1ubuntu1.6+esm3
released
focal
Fixed 3.1.3-8ubuntu0.9+esm1
released
jammy
Fixed 3.2.7-0ubuntu0.22.04.6
released
noble
Fixed 3.2.7-1ubuntu1.4
released
questing
Fixed 3.4.1+ds1-5ubuntu1.2
released
resolute
Fixed 3.4.1+ds1-7ubuntu0.2
released
trusty
Fixed 3.1.0-2ubuntu0.4+esm3
released
xenial
Fixed 3.1.1-3ubuntu1.3+esm5
released
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
rsync
RHEL 8
0:3.1.3-25.el8_10
fixed
RHEL 8.4 AUS
0:3.1.3-12.el8_4.7
fixed
RHEL 9
0:3.2.5-7.el9_8
fixed
rsync-daemon
RHEL 8
0:3.1.3-25.el8_10
fixed
RHEL 8.4 AUS
0:3.1.3-12.el8_4.7
fixed
RHEL 9
0:3.2.5-7.el9_8
fixed
rsync-rrsync
RHEL 9
0:3.2.5-7.el9_8
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
rsync
Azure Linux 3.0
0:3.4.3-1.azl3
fixed