CVE-2026-41035
Published
CVSS v3
7.4
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
An open source utility that provides fast incremental file transfer. It also has useful features for backup and restore operations among many other use cases.
GitHub