PT-2026-33280 · Samba · Rsync
Published
2026-04-16
·
Updated
2026-04-16
·
CVE-2026-41035
CVSS v3.1
7.4
High
| AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
In rsync 3.0.1 through 3.4.1, receive xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rsync