Rsync Vulnerability Exposes Users to Use-After-Free Flaw

/HIGH
SCW vulnerabilitycvehigh-severityuse-after-freecwe-130
Rsync Vulnerability Exposes Users to Use-After-Free Flaw

The National Vulnerability Database (NVD) has detailed a critical use-after-free vulnerability affecting rsync versions 3.0.1 through 3.4.1. According to NVD, the flaw lies within the receive_xattr function, which mishandles an untrusted length value during a qsort call. This can lead to a use-after-free condition on the receiver side.

Exploitation requires the rsync command to be executed with the -X or --xattrs flag, enabling extended attributes. While many common Linux configurations are vulnerable, NVD notes that non-Linux platforms face a broader risk. The vulnerability, tracked as CVE-2026-41035, carries a CVSS score of 7.4, classifying it as HIGH severity. The underlying issue is categorized under CWE-130, which relates to buffer underflows and overflows.

What This Means For You

  • If your environment is affected by CWE-130, patch immediately and audit logs for signs of exploitation. Monitor vendor advisories for CVE-2026-41035 updates and patches.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41035 - Rsync Use-After-Free via Extended Attributes

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41035 Use After Free rsync versions 3.0.1 through 3.4.1
CVE-2026-41035 Use After Free Vulnerable function: receive_xattr
CVE-2026-41035 Use After Free Attack vector: rsync with -X or --xattrs option

By Shimi's Cyber World Editorial

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 16, 2026 at 10:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-41254 — Integer Overflow

CVE-2026-41254 — Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

vulnerabilityCVEmedium-severityinteger-overflowcwe-696
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-41253 — Code Execution

CVE-2026-41253 — In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory...

vulnerabilityCVEmedium-severitycode-executioncwe-829
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 2 Sigma

Mirai Botnet Variants Target TBK DVRs via CVE-2024-3721

Mirai botnet variants, including Nexcorium, are actively exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR devices. This flaw, rated medium severity, allows attackers to...

threat-intelvulnerabilitymalwarecloud
/SCW Vulnerability Desk /HIGH /⚑ 1 IOC /⚙ 3 Sigma