Attack Chain

1. Attacker gains initial access to a system where they can influence rsync parameters. This could be through a compromised user account or a vulnerable service.
2. Attacker crafts a malicious rsync command that includes the -X or --xattrs option to enable extended attribute processing.
3. The crafted command is executed on the victim machine, targeting a vulnerable rsync version (3.0.1 to 3.4.1).
4. During the receive_xattr function call, the untrusted length value provided by the attacker is passed to the qsort function.
5. The qsort function attempts to sort the extended attributes based on the attacker-controlled length.
6. Due to the manipulated length value, the qsort function accesses memory outside the allocated buffer, leading to a use-after-free condition.
7. The use-after-free condition allows the attacker to potentially overwrite memory with malicious code.
8. The attacker’s code is executed within the context of the rsync process, granting them control of the system.

Impact

Successful exploitation of CVE-2026-41035 can lead to arbitrary code execution on the affected system. The impact can range from data corruption to complete system compromise. Given the widespread use of rsync for data synchronization and backups, a successful attack could affect a large number of systems across various sectors. The vulnerability is particularly concerning on non-Linux platforms, where the likelihood of successful exploitation is higher.

Recommendation

• Upgrade rsync to a version beyond 3.4.1 to patch CVE-2026-41035.
• Implement the file integrity monitoring rule to detect unauthorized modification of rsync binaries.
• Deploy the Sigma rule to detect rsync commands using the -X or --xattrs option, as those options are required to trigger this vulnerability.
• Where possible, disable the use of the -X or --xattrs option for rsync to prevent exploitation of this vulnerability.