{"id":"CVE-2026-41035","details":"In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.","modified":"2026-07-11T04:04:14.290896697Z","published":"2026-04-16T06:53:05.237Z","related":["ALSA-2026:17481","ALSA-2026:19152","ALSA-2026:19368","SUSE-SU-2026:2002-1","SUSE-SU-2026:2038-1","SUSE-SU-2026:2048-1","SUSE-SU-2026:2083-1","SUSE-SU-2026:21676-1","SUSE-SU-2026:21686-1","SUSE-SU-2026:21726-1","SUSE-SU-2026:21739-1","SUSE-SU-2026:21747-1","SUSE-SU-2026:21795-1","SUSE-SU-2026:21980-1","SUSE-SU-2026:22015-1","openSUSE-SU-2026:10775-1","openSUSE-SU-2026:20754-1","openSUSE-SU-2026:20877-1"],"database_specific":{"cwe_ids":["CWE-130"],"cna_assigner":"mitre","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41035.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/04/16/9"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/04/22/3"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41035.json"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/16/2"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17481"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19152"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19368"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20601"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20602"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20603"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20604"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20696"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:23233"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:23245"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25044"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25149"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25170"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25172"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25173"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25181"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25190"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26542"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:28887"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:29197"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:34098"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-41035"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41035.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41035"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2458898"},{"type":"REPORT","url":"https://github.com/RsyncProject/rsync/issues/871"},{"type":"PACKAGE","url":"https://github.com/RsyncProject/rsync/releases"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.samba.org/rsync.git/","events":[{"introduced":"325c243210cdb3e8467e78f673043661f86fdf74"},{"last_affected":"3305a7a063ab0167cab5bf7029da53abaa9fdb6e"}],"database_specific":{"extracted_events":[{"introduced":"3.0.1"},{"last_affected":"3.4.1"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*"}},{"type":"GIT","repo":"https://github.com/rsyncproject/rsync","events":[{"introduced":"325c243210cdb3e8467e78f673043661f86fdf74"},{"last_affected":"3305a7a063ab0167cab5bf7029da53abaa9fdb6e"}],"database_specific":{"extracted_events":[{"introduced":"3.0.1"},{"last_affected":"3.4.1"}],"source":"AFFECTED_FIELD"}}],"versions":["v3.2.7","v3.4.1","v3.4.0","v3.3.0","v3.3.0pre1","v3.2.7pre1","v3.2.6","v3.2.5","v3.2.5pre2","v3.2.5pre1","v3.2.4","v3.2.4pre4","v3.2.4pre3","v3.2.4pre2","v3.2.4pre1","v3.2.3","v3.2.3pre1","v3.2.2","v3.2.2pre3","v3.2.2pre2","v3.2.2pre1","v3.2.1","v3.2.1pre1","v3.2.0","v3.2.0pre3","v3.2.0pre2","v3.2.0pre1","v3.1.3","v3.1.3pre1","v3.1.2","v3.1.2pre1","v3.1.1","v3.1.1pre2","v3.1.1pre1","v3.1.0","v3.1.0pre1","v3.0.3","v3.0.3pre3","v3.0.3pre2","v3.0.3pre1","v3.0.2","v3.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41035.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"}]}