{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-41035", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T06:53:04.777Z", "datePublished": "2026-04-16T06:53:05.237Z", "dateUpdated": "2026-06-30T12:08:51.765Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "rsync", "vendor": "Samba", "versions": [{"lessThanOrEqual": "3.4.1", "status": "affected", "version": "3.0.1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T18:23:49.396Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/04/16/2"}, {"url": "https://github.com/RsyncProject/rsync/releases"}, {"url": "https://github.com/RsyncProject/rsync/issues/871"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.1", "versionEndIncluding": "3.4.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:20:04.768680Z", "id": "CVE-2026-41035", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:30:58.505Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/9"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/22/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T03:03:52.565Z"}}, {"affected": [{"cpes": ["cpe:/o:redhat:rhel_els:6"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_els:7"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux Server (v. 7 ELS)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4.13::el9"], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.13", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4.15::el9"], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.15", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4.16::el9"], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.16", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4.18::el9"], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.18", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:openshift:4.19::el9"], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4.19", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux_eus:10.0"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10.2"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 10)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.0::appstream"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.2::appstream"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.4::appstream"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.6::appstream"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 9)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux_eus:10.0"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10.2"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS (v. 10)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS (v. 8)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_aus:8.4::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_aus:8.6::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_e4s:8.8::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_tus:8.8::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_e4s:9.0::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_e4s:9.2::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_eus:9.4::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:rhel_eus:9.6::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::baseos"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux BaseOS (v. 9)", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:discovery:2::el9"], "defaultStatus": "affected", "product": "Red Hat Discovery 2", "vendor": "Red Hat"}], "datePublic": "2026-04-16T06:53:05.237Z", "descriptions": [{"lang": "en", "value": "A flaw was found in rsync. When rsync is configured to handle extended attributes (using the -X or --xattrs option), a remote attacker can exploit a use-after-free vulnerability. This occurs because the receive_xattr function incorrectly processes an untrusted length value during a sorting operation, leading to memory corruption. Successful exploitation can result in a denial of service, causing the rsync process to crash, and may potentially allow for arbitrary code execution."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-805", "description": "Buffer Access with Incorrect Length Value", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-41035"}, {"name": "RHBZ#2458898", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458898"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41035.json"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:25173"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:25172"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:26542"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:23233"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:25044"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:25181"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:23245"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:20696"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:19152"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:20601"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:20602"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:20604"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:20603"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:19368"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:17481"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:25170"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:25190"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:25149"}, {"tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2026:29197"}], "solutions": [{"lang": "en", "value": "RHSA-2026:25173: Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION)"}, {"lang": "en", "value": "RHSA-2026:25172: Red Hat Enterprise Linux Server (v. 7 ELS)"}, {"lang": "en", "value": "RHSA-2026:26542: Red Hat OpenShift Container Platform 4.13"}, {"lang": "en", "value": "RHSA-2026:23233: Red Hat OpenShift Container Platform 4.15"}, {"lang": "en", "value": "RHSA-2026:25044: Red Hat OpenShift Container Platform 4.16"}, {"lang": "en", "value": "RHSA-2026:25181: Red Hat OpenShift Container Platform 4.18"}, {"lang": "en", "value": "RHSA-2026:23245: Red Hat OpenShift Container Platform 4.19"}, {"lang": "en", "value": "RHSA-2026:20696: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0)"}, {"lang": "en", "value": "RHSA-2026:19152: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"}, {"lang": "en", "value": "RHSA-2026:20601: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"}, {"lang": "en", "value": "RHSA-2026:20602: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"}, {"lang": "en", "value": "RHSA-2026:20604: Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"}, {"lang": "en", "value": "RHSA-2026:20603: Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"}, {"lang": "en", "value": "RHSA-2026:19368: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"}, {"lang": "en", "value": "RHSA-2026:17481: Red Hat Enterprise Linux BaseOS (v. 8)"}, {"lang": "en", "value": "RHSA-2026:25170: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"}, {"lang": "en", "value": "RHSA-2026:25190: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)"}, {"lang": "en", "value": "RHSA-2026:25149: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"}, {"lang": "en", "value": "RHSA-2026:29197: Red Hat Discovery 2"}], "timeline": [{"lang": "en", "time": "2026-04-16T08:00:54.200Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-16T06:53:05.237Z", "value": "Made public."}], "title": "rsync: Rsync: Use-after-free vulnerability in extended attribute handling", "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, avoid using the -X or --xattrs options with rsync if extended attribute handling is not essential for your operations. Disabling these options prevents the vulnerable code path from being exercised. This may impact functionality that relies on extended attributes."}], "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T12:08:51.765Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/9"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/22/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T03:03:52.565Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41035", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:20:04.768680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:20:06.184Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Samba", "product": "rsync", "versions": [{"status": "affected", "version": "3.0.1", "versionType": "semver", "lessThanOrEqual": "3.4.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/04/16/2"}, {"url": "https://github.com/RsyncProject/rsync/releases"}, {"url": "https://github.com/RsyncProject/rsync/issues/871"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.4.1", "versionStartIncluding": "3.0.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T18:23:49.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41035", "state": "PUBLISHED", "dateUpdated": "2026-04-22T03:03:52.565Z", "dateReserved": "2026-04-16T06:53:04.777Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T06:53:05.237Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unknown", "product": "rsync", "vendor": "Samba", "versions": [{"lessThanOrEqual": "3.4.1", "status": "affected", "version": "3.0.1", "versionType": "semver"}]}], "source": "cve@mitre.org"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D9FD7C2-4EA5-4FB6-9B03-CBEF95B5DB20", "versionEndIncluding": "3.4.1", "versionStartIncluding": "3.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable."}], "id": "CVE-2026-41035", "lastModified": "2026-06-17T10:46:04.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-41035", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-04-16T12:20:04.768680Z", "version": "2.0.3"}}]}, "published": "2026-04-16T07:16:31.003", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/RsyncProject/rsync/issues/871"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/RsyncProject/rsync/releases"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2026/04/16/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/16/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/22/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-130"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "rsync: Rsync: Use-after-free vulnerability in extended attribute handling", "id": "2458898", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458898"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-805", "details": ["A flaw was found in rsync. When rsync is configured to handle extended attributes (using the -X or --xattrs option), a remote attacker can exploit a use-after-free vulnerability. This occurs because the receive_xattr function incorrectly processes an untrusted length value during a sorting operation, leading to memory corruption. Successful exploitation can result in a denial of service, causing the rsync process to crash, and may potentially allow for arbitrary code execution."], "name": "CVE-2026-41035", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-16T06:53:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41035\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41035\nhttps://github.com/RsyncProject/rsync/issues/871\nhttps://github.com/RsyncProject/rsync/releases\nhttps://www.openwall.com/lists/oss-security/2026/04/16/2"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.1,3.4.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "rsync", "vendor": "samba"}], "analysis": {"en": {"generated_at": "2026-04-18T17:15:49.437522+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Samba rsync release that removes the identified bug, which will be newer than 3.4.1.", "If an upgrade cannot be performed immediately, stop using the xattrs feature on the receiver by omitting the -X flag or disabling xattrs in configuration.", "As a temporary precaution, limit rsync access to trusted clients and monitor for abnormal terminations or signs of memory corruption."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free memory corruption potentially leading to denial of service or code execution"}, "threat_synthesis": {"affected_systems": "Affected products are Samba rsync, specifically versions 3.0.1 up to 3.4.1. Linux installations that are configured to allow xattrs are vulnerable; on most Linux distributions the vulnerability is present, while on non\u2011Linux platforms it is more widely seen. Therefore any system running these rsync versions and using the xattrs feature is potentially impacted.", "description_and_impact": "A use\u2011after\u2011free bug exists in rsync versions 3.0.1 through 3.4.1. It is triggered within the receive_xattr routine when the length value supplied to qsort is untrusted. If a receiver runs rsync with the -X (or --xattrs) option, this vulnerability can corrupt memory and cause a crash. In the worst case an attacker may leverage the memory corruption to execute arbitrary code or perform denial of service.", "risk_and_exploitability": "The CVSS v3 score is 7.4, indicating high severity. Exploit likelihood is low (< 1% EPSS) and no known public exploits are documented. The flaw can be triggered from the network by a sender that initiates a crafted rsync transfer containing xattrs, inferred from the description that the bug occurs when rsync receives data. The attack requires the target to run rsync with -X enabled, suggesting a remote network attacker who can control the sender can exploit the vulnerability to crash the receiver or potentially execute code if they can influence the freed memory."}}}}, "created": "2026-04-16T08:30:29.746270+00:00", "updated": "2026-04-18T17:30:05.940326+00:00", "vendors": ["samba", "samba$PRODUCT$rsync"]}