CVE-2026-41035
Analyzed Analyzed - Analysis Complete
Use-After-Free in rsync xattr Handling Affects Multiple Platforms

Publication date: 2026-04-16

Last updated on: 2026-05-21

Assigner: MITRE

Description
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41035
EUVD
EUVD-2026-23215
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samba rsync From 3.0.1 (inc) to 3.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41035 is a use-after-free and double-free vulnerability in the rsync software versions 3.0.1 through 3.4.1. It occurs in the receive_xattr() function, which handles extended attributes (xattrs) during file synchronization.

The root cause is that rsync uses an untrusted length value received over the network as the count argument in a qsort() call, instead of the actual number of valid xattr items after filtering. This causes stale or uninitialized entries to be sorted and later accessed, leading to use-after-free and double-free conditions.

Specifically, the function reads a count of xattrs from the sender, allocates memory for that many entries, but filters out some entries based on namespace or user filters. The qsort() call still uses the original count, sorting stale data that references freed memory. This results in heap corruption, crashes, and potential information disclosure.

The vulnerability requires the rsync receiver to run with the -X or --xattrs option. On Linux, certain configurations are vulnerable, especially when running as non-root with --fake-super or with xattr filters passing non-user namespace xattrs. On non-Linux platforms like FreeBSD and macOS, the vulnerability is more broadly present when using -X.

Impact Analysis

This vulnerability can lead to several negative impacts if exploited:

  • Heap corruption due to use-after-free and double-free conditions.
  • Denial of service caused by crashes (segmentation faults) in the rsync receiver.
  • Potential information disclosure through leaked heap metadata in extended attribute values.

While the vulnerability does not directly allow arbitrary code execution, the heap corruption and crashes can disrupt normal operations and potentially expose sensitive data.

Detection Guidance

This vulnerability occurs when rsync is run with the -X or --xattrs option and processes extended attributes (xattrs) with an incorrect sorting length, leading to use-after-free and double-free conditions. Detection involves monitoring rsync processes that use the -X option, especially on non-root or filtered xattr configurations.

To detect exploitation or presence of the vulnerability, you can look for crashes or segmentation faults (SIGSEGV) in rsync related to the receive_xattr() function, often triggered by malformed or unexpected extended attribute data.

Suggested commands to help detect the vulnerability or its exploitation include:

  • Run rsync with debugging or verbose flags to monitor extended attribute processing: rsync -avX --debug=all source/ destination/
  • Check system logs (e.g., dmesg, /var/log/syslog) for rsync crashes or segmentation faults.
  • Use tools like gdb or lldb to analyze core dumps if rsync crashes occur, focusing on receive_xattr() and qsort() calls.
  • Monitor network traffic for rsync sessions using extended attributes with tools like tcpdump or Wireshark, looking for unusual or malformed xattr data.
Mitigation Strategies

Immediate mitigation steps include avoiding running rsync with the -X or --xattrs option on vulnerable versions (3.0.1 through 3.4.1) until a fixed version is applied.

If extended attributes are not required for your rsync operations, disable the use of -X/--xattrs to prevent triggering the vulnerability.

On Linux systems, avoid running rsync as non-root with --fake-super or with xattr filters that pass non-user namespace xattrs, as these configurations are vulnerable.

Apply the official patch or upgrade to a fixed rsync version where the qsort call uses the correct count of valid xattr entries (temp_xattr.count) instead of the wire-supplied count.

Monitor for updates and releases from the rsync project and apply them promptly.

Compliance Impact

CVE-2026-41035 is a use-after-free and double-free vulnerability in rsync's handling of extended attributes that can lead to heap corruption, denial of service (crashes), and potential information disclosure via leaked heap metadata in xattr values.

The potential for information disclosure could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information from unauthorized access or leaks.

Since exploitation requires the rsync receiver to run with the -X/--xattrs option and specific configurations, environments using rsync in these modes may be at risk of data exposure or service disruption, which could violate confidentiality and availability requirements under these standards.

Mitigating this vulnerability by applying the suggested fix (correcting the qsort length parameter) is important to maintain compliance and prevent potential breaches or service outages.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart