CVE-2026-41035
- Source
- https://cve.org/CVERecord?id=CVE-2026-41035
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41035.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-41035
- Downstream
- Published
- 2026-04-16T06:53:05.237Z
- Modified
- 2026-05-01T04:32:44.343082Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
- Database specific
{ "cwe_ids": [ "CWE-130" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41035.json", "cna_assigner": "mitre" }- References
-
- http://www.openwall.com/lists/oss-security/2026/04/16/9
- http://www.openwall.com/lists/oss-security/2026/04/22/3
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41035.json
- https://github.com/RsyncProject/rsync/issues/871
- https://github.com/RsyncProject/rsync/releases
- https://nvd.nist.gov/vuln/detail/CVE-2026-41035
- https://www.openwall.com/lists/oss-security/2026/04/16/2
Affected packages
Git / github.com/rsyncproject/rsync
Affected versions
v3.*
v3.0.1
v3.0.2
v3.0.3
v3.0.3pre1
v3.0.3pre2
v3.0.3pre3
v3.1.0
v3.1.0pre1
v3.1.1
v3.1.1pre1
v3.1.1pre2
v3.1.2
v3.1.2pre1
v3.1.3
v3.1.3pre1
v3.2.0
v3.2.0pre1
v3.2.0pre2
v3.2.0pre3
v3.2.1
v3.2.1pre1
v3.2.2
v3.2.2pre1
v3.2.2pre2
v3.2.2pre3
v3.2.3
v3.2.3pre1
v3.2.4
v3.2.4pre1
v3.2.4pre2
v3.2.4pre3
v3.2.4pre4
v3.2.5
v3.2.5pre1
v3.2.5pre2
v3.2.6
v3.2.7
v3.2.7pre1
v3.3.0
v3.3.0pre1
v3.4.0
v3.4.1