Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
Rsync with xattr enabled can crash on Linux systems
CVE-2026-41035
Summary
A bug in rsync's xattr feature can cause it to crash on Linux systems, but only if you're using a specific option. To fix, update to a newer version of rsync or disable the xattr feature if you don't need it. This issue is more of a concern on non-Linux systems.
Original title
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux...
Original description
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
nvd CVSS3.1
7.4
Vulnerability type
CWE-130
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026