{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-41035", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T06:53:04.777Z", "datePublished": "2026-04-16T06:53:05.237Z", "dateUpdated": "2026-04-22T03:03:52.565Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "rsync", "vendor": "Samba", "versions": [{"lessThanOrEqual": "3.4.1", "status": "affected", "version": "3.0.1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T18:23:49.396Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/04/16/2"}, {"url": "https://github.com/RsyncProject/rsync/releases"}, {"url": "https://github.com/RsyncProject/rsync/issues/871"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.1", "versionEndIncluding": "3.4.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:20:04.768680Z", "id": "CVE-2026-41035", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:30:58.505Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/9"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/22/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T03:03:52.565Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/9"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/22/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T03:03:52.565Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41035", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:20:04.768680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:20:06.184Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Samba", "product": "rsync", "versions": [{"status": "affected", "version": "3.0.1", "versionType": "semver", "lessThanOrEqual": "3.4.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/04/16/2"}, {"url": "https://github.com/RsyncProject/rsync/releases"}, {"url": "https://github.com/RsyncProject/rsync/issues/871"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.4.1", "versionStartIncluding": "3.0.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T18:23:49.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41035", "state": "PUBLISHED", "dateUpdated": "2026-04-22T03:03:52.565Z", "dateReserved": "2026-04-16T06:53:04.777Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T06:53:05.237Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable."}], "id": "CVE-2026-41035", "lastModified": "2026-04-22T04:16:04.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T07:16:31.003", "references": [{"source": "cve@mitre.org", "url": "https://github.com/RsyncProject/rsync/issues/871"}, {"source": "cve@mitre.org", "url": "https://github.com/RsyncProject/rsync/releases"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/04/16/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/16/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/22/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-130"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "rsync: Rsync: Use-after-free vulnerability in extended attribute handling", "id": "2458898", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458898"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-805", "details": ["A flaw was found in rsync. When rsync is configured to handle extended attributes (using the -X or --xattrs option), a remote attacker can exploit a use-after-free vulnerability. This occurs because the receive_xattr function incorrectly processes an untrusted length value during a sorting operation, leading to memory corruption. Successful exploitation can result in a denial of service, causing the rsync process to crash, and may potentially allow for arbitrary code execution."], "name": "CVE-2026-41035", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rsync", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-16T06:53:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41035\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41035\nhttps://github.com/RsyncProject/rsync/issues/871\nhttps://github.com/RsyncProject/rsync/releases\nhttps://www.openwall.com/lists/oss-security/2026/04/16/2"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.1,3.4.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "rsync", "vendor": "samba"}], "analysis": {"en": {"generated_at": "2026-04-18T17:15:49.437522+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Samba rsync release that removes the identified bug, which will be newer than 3.4.1.", "If an upgrade cannot be performed immediately, stop using the xattrs feature on the receiver by omitting the -X flag or disabling xattrs in configuration.", "As a temporary precaution, limit rsync access to trusted clients and monitor for abnormal terminations or signs of memory corruption."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free memory corruption potentially leading to denial of service or code execution"}, "threat_synthesis": {"affected_systems": "Affected products are Samba rsync, specifically versions 3.0.1 up to 3.4.1. Linux installations that are configured to allow xattrs are vulnerable; on most Linux distributions the vulnerability is present, while on non\u2011Linux platforms it is more widely seen. Therefore any system running these rsync versions and using the xattrs feature is potentially impacted.", "description_and_impact": "A use\u2011after\u2011free bug exists in rsync versions 3.0.1 through 3.4.1. It is triggered within the receive_xattr routine when the length value supplied to qsort is untrusted. If a receiver runs rsync with the -X (or --xattrs) option, this vulnerability can corrupt memory and cause a crash. In the worst case an attacker may leverage the memory corruption to execute arbitrary code or perform denial of service.", "risk_and_exploitability": "The CVSS v3 score is 7.4, indicating high severity. Exploit likelihood is low (< 1% EPSS) and no known public exploits are documented. The flaw can be triggered from the network by a sender that initiates a crafted rsync transfer containing xattrs, inferred from the description that the bug occurs when rsync receives data. The attack requires the target to run rsync with -X enabled, suggesting a remote network attacker who can control the sender can exploit the vulnerability to crash the receiver or potentially execute code if they can influence the freed memory."}}}}, "created": "2026-04-16T08:30:29.746270+00:00", "updated": "2026-04-18T17:30:05.940326+00:00", "vendors": ["samba", "samba$PRODUCT$rsync"]}