High severity7.4NVD Advisory· Published Apr 16, 2026· Updated Apr 22, 2026

CVE-2026-41035

Description

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

Affected products

RsyncProject/Rsyncreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/16/9nvd
www.openwall.com/lists/oss-security/2026/04/22/3nvd
github.com/RsyncProject/rsync/issues/871nvd
www.openwall.com/lists/oss-security/2026/04/16/2nvd

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000