Use-After-Free Vulnerability in Rsync Affects Linux and Non-Linux Systems
CVE-2026-41035

7.4HIGH

Key Information:

Vendor: Samba
Status: Rsync
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-41035?

In versions of rsync from 3.0.1 to 3.4.1, a vulnerability exists in the receive_xattr function that incorrectly manages an untrusted length value during a qsort operation. This flaw can lead to a use-after-free error when rsync is run with the -X (or --xattrs) option enabled. The vulnerability predominantly affects common configurations on Linux systems, but non-Linux platforms are also widely susceptible, making this a critical issue for users of the software across various environments.

Affected Version(s)

rsync 3.0.1 <= 3.4.1

References

https://www.openwall.com/lists/oss-security/2026/04/16/2

https://github.com/RsyncProject/rsync/releases

https://github.com/RsyncProject/rsync/issues/871

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41035 Data

JSON

Samba

What is CVE-2026-41035?

Affected Version(s)

References

CVSS V3.1

Timeline