CVE-2026-41035
Use-After-Free in rsync xattr Handling Affects Multiple Platforms
Publication date: 2026-04-16
Last updated on: 2026-04-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rsync_project | rsync | From 3.0.1 (inc) to 3.4.1 (inc) |
| rsync_project | rsync | to 3.4.1 (inc) |
| rsync_project | rsync | to 3.4.2dev (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-130 | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41035 is a use-after-free and double-free vulnerability in rsync's handling of extended attributes that can lead to heap corruption, denial of service (crashes), and potential information disclosure via leaked heap metadata in xattr values.
The potential for information disclosure could impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information from unauthorized access or leaks.
Since exploitation requires the rsync receiver to run with the -X/--xattrs option and specific configurations, environments using rsync in these modes may be at risk of data exposure or service disruption, which could violate confidentiality and availability requirements under these standards.
Mitigating this vulnerability by applying the suggested fix (correcting the qsort length parameter) is important to maintain compliance and prevent potential breaches or service outages.
Can you explain this vulnerability to me?
CVE-2026-41035 is a use-after-free and double-free vulnerability in the rsync software versions 3.0.1 through 3.4.1. It occurs in the receive_xattr() function, which handles extended attributes (xattrs) during file synchronization.
The root cause is that rsync uses an untrusted length value received over the network as the count argument in a qsort() call, instead of the actual number of valid xattr items after filtering. This causes stale or uninitialized entries to be sorted and later accessed, leading to use-after-free and double-free conditions.
Specifically, the function reads a count of xattrs from the sender, allocates memory for that many entries, but filters out some entries based on namespace or user filters. The qsort() call still uses the original count, sorting stale data that references freed memory. This results in heap corruption, crashes, and potential information disclosure.
The vulnerability requires the rsync receiver to run with the -X or --xattrs option. On Linux, certain configurations are vulnerable, especially when running as non-root with --fake-super or with xattr filters passing non-user namespace xattrs. On non-Linux platforms like FreeBSD and macOS, the vulnerability is more broadly present when using -X.
How can this vulnerability impact me? :
This vulnerability can lead to several negative impacts if exploited:
- Heap corruption due to use-after-free and double-free conditions.
- Denial of service caused by crashes (segmentation faults) in the rsync receiver.
- Potential information disclosure through leaked heap metadata in extended attribute values.
While the vulnerability does not directly allow arbitrary code execution, the heap corruption and crashes can disrupt normal operations and potentially expose sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when rsync is run with the -X or --xattrs option and processes extended attributes (xattrs) with an incorrect sorting length, leading to use-after-free and double-free conditions. Detection involves monitoring rsync processes that use the -X option, especially on non-root or filtered xattr configurations.
To detect exploitation or presence of the vulnerability, you can look for crashes or segmentation faults (SIGSEGV) in rsync related to the receive_xattr() function, often triggered by malformed or unexpected extended attribute data.
Suggested commands to help detect the vulnerability or its exploitation include:
- Run rsync with debugging or verbose flags to monitor extended attribute processing: rsync -avX --debug=all source/ destination/
- Check system logs (e.g., dmesg, /var/log/syslog) for rsync crashes or segmentation faults.
- Use tools like gdb or lldb to analyze core dumps if rsync crashes occur, focusing on receive_xattr() and qsort() calls.
- Monitor network traffic for rsync sessions using extended attributes with tools like tcpdump or Wireshark, looking for unusual or malformed xattr data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding running rsync with the -X or --xattrs option on vulnerable versions (3.0.1 through 3.4.1) until a fixed version is applied.
If extended attributes are not required for your rsync operations, disable the use of -X/--xattrs to prevent triggering the vulnerability.
On Linux systems, avoid running rsync as non-root with --fake-super or with xattr filters that pass non-user namespace xattrs, as these configurations are vulnerable.
Apply the official patch or upgrade to a fixed rsync version where the qsort call uses the correct count of valid xattr entries (temp_xattr.count) instead of the wire-supplied count.
Monitor for updates and releases from the rsync project and apply them promptly.