CVE-2026-41035 Overview
A use-after-free vulnerability has been identified in rsync versions 3.0.1 through 3.4.1. The flaw exists in the receive_xattr function, which relies on an untrusted length value during a qsort call. This memory corruption issue can be triggered when rsync is run with the -X (or --xattrs) option, which enables extended attribute synchronization.
Critical Impact
Attackers can exploit this use-after-free vulnerability to potentially execute arbitrary code or cause denial of service on systems running vulnerable rsync versions with extended attribute support enabled.
Affected Products
- rsync versions 3.0.1 through 3.4.1
- Linux systems with common configurations using extended attributes
- Non-Linux platforms (more widely affected due to extended attribute handling differences)
Discovery Timeline
- April 16, 2026 - CVE-2026-41035 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41035
Vulnerability Analysis
This vulnerability is classified under CWE-130 (Improper Handling of Length Parameter Inconsistency), which describes flaws where software fails to properly handle discrepancies between actual data lengths and declared length values. In the case of rsync, the receive_xattr function accepts a length value from an untrusted source without adequate validation before using it in memory operations.
The attack can be initiated over the network, as rsync commonly operates in client-server mode for remote file synchronization. Once exploited, the use-after-free condition occurs during the qsort operation, where the sorting algorithm accesses memory that has already been freed. This can lead to memory corruption, information disclosure, or arbitrary code execution depending on the state of the heap and attacker control over the freed memory region.
Linux systems have varying exposure depending on their extended attribute configuration, while non-Linux platforms are generally more susceptible due to differences in how extended attributes are processed.
Root Cause
The root cause stems from improper validation of the length parameter received during extended attribute processing. The receive_xattr function trusts the length value provided in the protocol data without verifying that it accurately represents the data being processed. When this untrusted length is passed to qsort, it can cause the function to access memory outside the intended boundaries, leading to use-after-free conditions when the memory has been deallocated.
Attack Vector
The vulnerability is exploitable over the network when a victim connects to a malicious rsync server or when a malicious client connects to a legitimate server. The attack requires the victim to run rsync with the -X or --xattrs flag enabled. The attacker crafts malformed extended attribute data with an inconsistent length value, triggering the memory corruption during the sorting operation.
The exploitation mechanism involves:
- Establishing an rsync connection with the target
- Sending crafted extended attribute data with a manipulated length value
- Triggering the qsort call in receive_xattr with the malicious length
- Exploiting the resulting use-after-free condition to achieve code execution or cause a crash
For detailed technical information, refer to the GitHub Issue #871 and the Openwall OSS Security advisory.
Detection Methods for CVE-2026-41035
Indicators of Compromise
- Unexpected rsync process crashes or segmentation faults during file synchronization
- Unusual memory access patterns or corruption detected in rsync processes
- Rsync connections from untrusted sources requesting extended attribute transfers
- Abnormal network traffic patterns during rsync sessions with extended attributes enabled
Detection Strategies
- Monitor rsync processes for abnormal termination signals (SIGSEGV, SIGABRT) that may indicate exploitation attempts
- Implement network monitoring to detect rsync connections with anomalous extended attribute data sizes
- Deploy endpoint detection solutions capable of identifying use-after-free exploitation patterns in memory
- Enable verbose logging for rsync operations to capture detailed transfer information for forensic analysis
Monitoring Recommendations
- Configure system logging to capture rsync command-line arguments, specifically monitoring for -X or --xattrs usage
- Implement file integrity monitoring on critical systems that use rsync for synchronization
- Monitor for unexpected outbound connections from rsync processes that could indicate command-and-control activity
- Deploy memory protection mechanisms like ASLR and stack canaries to mitigate exploitation success
How to Mitigate CVE-2026-41035
Immediate Actions Required
- Upgrade rsync to version 3.4.2 or later, which contains the security fix for this vulnerability
- If immediate patching is not possible, disable extended attribute synchronization by removing the -X or --xattrs flag from rsync commands
- Restrict rsync access to trusted networks and authenticated users only
- Implement network segmentation to limit exposure of systems running vulnerable rsync versions
Patch Information
The rsync project has addressed this vulnerability in releases following version 3.4.1. Users should upgrade to the latest stable release available from the official rsync GitHub releases page. Package managers for major Linux distributions should have updated packages available. Verify the integrity of downloaded packages and ensure the version installed is 3.4.2 or higher.
Workarounds
- Remove the -X or --xattrs option from rsync commands and scripts until patching is complete
- Use SSH tunneling with strict host verification for all rsync connections to reduce attack surface
- Implement firewall rules to restrict rsync port access (typically TCP port 873) to trusted IP addresses only
- Consider using alternative file synchronization tools that do not have this vulnerability for sensitive transfers
# Configuration example
# Disable extended attributes in rsync daemon configuration
# Edit /etc/rsyncd.conf
# Add or modify refuse options to block xattr transfers
refuse options = delete xattrs
# Restrict connections to trusted networks
hosts allow = 192.168.1.0/24
hosts deny = *
# Enable chroot for additional isolation
use chroot = yes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
