{
  "threat_severity" : "Important",
  "public_date" : "2026-04-16T06:53:05Z",
  "bugzilla" : {
    "description" : "rsync: Rsync: Use-after-free vulnerability in extended attribute handling",
    "id" : "2458898",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458898"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-805",
  "details" : [ "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "A flaw was found in rsync. When rsync is configured to handle extended attributes (using the -X or --xattrs option), a remote attacker can exploit a use-after-free vulnerability. This occurs because the receive_xattr function incorrectly processes an untrusted length value during a sorting operation, leading to memory corruption. Successful exploitation can result in a denial of service, causing the rsync process to crash, and may potentially allow for arbitrary code execution." ],
  "statement" : "This is an Important flaw in rsync that allows a remote attacker to cause a denial of service or potentially execute arbitrary code. The vulnerability is present when rsync is used with extended attributes enabled via the `-X` or `--xattrs` option, which is not a default configuration. Exploitation requires the victim to explicitly enable this feature.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41035\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41035\nhttps://github.com/RsyncProject/rsync/issues/871\nhttps://github.com/RsyncProject/rsync/releases\nhttps://www.openwall.com/lists/oss-security/2026/04/16/2" ],
  "name" : "CVE-2026-41035",
  "mitigation" : {
    "value" : "To mitigate this vulnerability, avoid using the -X or --xattrs options with rsync if extended attribute handling is not essential for your operations. Disabling these options prevents the vulnerable code path from being exercised. This may impact functionality that relies on extended attributes.",
    "lang" : "en:us"
  },
  "csaw" : false
}