Skip to main content

rsync CVE-2026-41035

| EUVD-2026-23215 HIGH
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-04-16 mitre GHSA-m34r-4v3r-pp9v
Information Disclosure Rsync
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
SUSE
HIGH
qualitative
Red Hat
7.4 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Analysis Updated
Apr 22, 2026 - 04:28 vuln.today
v2 (cvss_changed)
Patch released
Apr 19, 2026 - 08:30 nvd
Patch available
Re-analysis Queued
Apr 16, 2026 - 21:22 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 07:50 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 07:30 euvd
EUVD-2026-23215
Analysis Generated
Apr 16, 2026 - 07:30 vuln.today
CVE Published
Apr 16, 2026 - 06:53 nvd
HIGH 7.4

DescriptionCVE.org

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

AnalysisAI

Use-after-free in rsync 3.0.1 through 3.4.1 allows authenticated remote attackers to compromise confidentiality, integrity, and availability when the victim runs rsync with extended attribute support (-X/--xattrs) enabled. The vulnerability stems from qsort operations on untrusted length values during extended attribute processing, with Linux systems in common configurations being widely vulnerable, and non-Linux platforms facing even broader exposure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain rsync credentials
Delivery
Connect to victim rsync receiver
Exploit
Send crafted xattr metadata
Execution
Trigger qsort use-after-free
Persist
Execute arbitrary code
Impact
Access synchronized files
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to invoke rsync with the -X (or --xattrs) flag explicitly enabled, which is not part of rsync's default behavior but is commonly used in backup systems, cross-platform file synchronization workflows, and environments requiring preservation of SELinux security contexts or POSIX ACLs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate but nuanced. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege credentials to an rsync server (such as a compromised backup user account or shared file transfer service account) initiates a malicious rsync push operation to a victim running rsync in receiver mode with the -X flag enabled. The attacker crafts a file transfer containing manipulated extended attribute metadata with inconsistent length values. …
Remediation Upgrade to rsync version 3.4.2 or later, which addresses the use-after-free in receive_xattr function, as documented in the vendor's GitHub releases at https://github.com/RsyncProject/rsync/releases. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all rsync deployments running versions 3.0.1-3.4.1 using extended attributes (-X or --xattrs flags) via configuration audit and process inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-41035 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy