QSearchQSearch

CVE-2026-41035

7.4 HIGH

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free

Published: 2026-04-16 · Last updated: 2026-05-21

Severity and scoring

CVSS
7.4 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CWE
CWE-130

Affected products

VendorProduct
sambarsync

Description

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-4408 A flaw was found in Samba (9.0 CRITICAL)
  • CVE-2026-2340 A flaw was found in Samba’s vfs_worm module (6.5 MEDIUM)
  • CVE-2026-1933 A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes (7.1 HIGH)
  • CVE-2026-3012 A flaw was found in Samba’s certificate auto-enrollment Group Policy handling (8.0 HIGH)
  • CVE-2026-4480 A flaw was found in the Samba printing subsystem (9.0 CRITICAL)

Same CWE

  • CVE-2026-45681 OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (5.9 MEDIUM)
  • CVE-2026-45615 mouse07410/asn1c is an ASN.1 compiler (8.2 HIGH)
  • CVE-2026-48685 FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the ext... (6.5 MEDIUM)
  • CVE-2026-33846 A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS (7.5 HIGH)
  • CVE-2026-31635 In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verif... (7.5 HIGH)