CVE-2026-41035

EUVD-2026-23215
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Affected Products (NVD)
VendorProductVersion
sambarsync
3.0.1 ≤
𝑥
≤ 3.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rsync
bookworm
unimportant
bookworm (security)
unimportant
bullseye
unimportant
bullseye (security)
unimportant
forky
3.4.3+ds1-2
fixed
sid
3.4.3+ds1-2
fixed
trixie
3.4.1+ds1-5+deb13u2
fixed
trixie (security)
3.4.1+ds1-5+deb13u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rsync
bionic
needed
focal
needed
jammy
Fixed 3.2.7-0ubuntu0.22.04.6
released
noble
Fixed 3.2.7-1ubuntu1.4
released
questing
Fixed 3.4.1+ds1-5ubuntu1.2
released
resolute
Fixed 3.4.1+ds1-7ubuntu0.2
released
trusty
needed
xenial
needed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
rsync
RHEL 8
0:3.1.3-25.el8_10
fixed
RHEL 9
0:3.2.5-7.el9_8
fixed
rsync-daemon
RHEL 8
0:3.1.3-25.el8_10
fixed
RHEL 9
0:3.2.5-7.el9_8
fixed
rsync-rrsync
RHEL 9
0:3.2.5-7.el9_8
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/RsyncProject/rsync/issues/871
https://github.com/RsyncProject/rsync/releases
https://www.openwall.com/lists/oss-security/2026/04/16/2
http://www.openwall.com/lists/oss-security/2026/04/16/9
http://www.openwall.com/lists/oss-security/2026/04/22/3