Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Debian OpenSSL Weak Signature Verification Allows Man-in-the-Middle Attacks
DEBIAN-CVE-2026-41035
Summary
A vulnerability in Debian's OpenSSL package allows an attacker to intercept and manipulate sensitive data, such as encrypted communications, by exploiting a weakness in the way signatures are verified. This could potentially allow an attacker to impersonate a trusted party or alter sensitive information. Debian users should update their OpenSSL package as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | rsync | All versions |
| Debian:12 | debian | rsync | All versions |
| Debian:13 | debian | rsync | All versions |
| Debian:14 | debian | rsync | All versions |
Original title
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux...
Original description
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
- https://security-tracker.debian.org/tracker/CVE-2026-41035 Vendor Advisory
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026