Description
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
Published: 2026-04-16
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free memory corruption potentially leading to denial of service or code execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free bug exists in rsync versions 3.0.1 through 3.4.1. It is triggered within the receive_xattr routine when the length value supplied to qsort is untrusted. If a receiver runs rsync with the -X (or --xattrs) option, this vulnerability can corrupt memory and cause a crash. In the worst case an attacker may leverage the memory corruption to execute arbitrary code or perform denial of service.

Affected Systems

Affected products are Samba rsync, specifically versions 3.0.1 up to 3.4.1. Linux installations that are configured to allow xattrs are vulnerable; on most Linux distributions the vulnerability is present, while on non‑Linux platforms it is more widely seen. Therefore any system running these rsync versions and using the xattrs feature is potentially impacted.

Risk and Exploitability

The CVSS v3 score is 7.4, indicating high severity. Exploit likelihood is low (< 1% EPSS) and no known public exploits are documented. The flaw can be triggered from the network by a sender that initiates a crafted rsync transfer containing xattrs, inferred from the description that the bug occurs when rsync receives data. The attack requires the target to run rsync with -X enabled, suggesting a remote network attacker who can control the sender can exploit the vulnerability to crash the receiver or potentially execute code if they can influence the freed memory.

Generated by OpenCVE AI on April 18, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Samba rsync release that removes the identified bug, which will be newer than 3.4.1.
  • If an upgrade cannot be performed immediately, stop using the xattrs feature on the receiver by omitting the -X flag or disabling xattrs in configuration.
  • As a temporary precaution, limit rsync access to trusted clients and monitor for abnormal terminations or signs of memory corruption.

Generated by OpenCVE AI on April 18, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Rsync xattrs Use‑After‑Free Exploit Risk rsync: Rsync: Use-after-free vulnerability in extended attribute handling
Weaknesses CWE-805
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 17 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Rsync xattrs Use‑After‑Free Exploit Risk

Thu, 16 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
References

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
First Time appeared Samba
Samba rsync
Weaknesses CWE-130
CPEs cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*
Vendors & Products Samba
Samba rsync
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Samba Rsync
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T20:16:00.985Z

Reserved: 2026-04-16T06:53:04.777Z

Link: CVE-2026-41035

cve-icon Vulnrichment

Updated: 2026-04-16T20:16:00.985Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T07:16:31.003

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-41035

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-16T06:53:05Z

Links: CVE-2026-41035 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses