{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rsync/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-41035"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["rsync","use-after-free","cve-2026-41035","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ersync versions 3.0.1 through 3.4.1 are susceptible to a use-after-free vulnerability identified as CVE-2026-41035. This flaw resides within the \u003ccode\u003ereceive_xattr\u003c/code\u003e function, where an untrusted length value is used during a \u003ccode\u003eqsort\u003c/code\u003e call. The vulnerability is triggered only when rsync is executed with the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option, which enables extended attribute handling. While many Linux configurations are vulnerable, the issue is more prevalent on non-Linux platforms. Exploitation of this vulnerability could allow a malicious actor to achieve arbitrary code execution on the target system. Defenders should prioritize patching rsync installations and consider disabling the \u003ccode\u003e-X\u003c/code\u003e option where extended attributes are not essential.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system where they can influence rsync parameters. This could be through a compromised user account or a vulnerable service.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious rsync command that includes the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option to enable extended attribute processing.\u003c/li\u003e\n\u003cli\u003eThe crafted command is executed on the victim machine, targeting a vulnerable rsync version (3.0.1 to 3.4.1).\u003c/li\u003e\n\u003cli\u003eDuring the \u003ccode\u003ereceive_xattr\u003c/code\u003e function call, the untrusted length value provided by the attacker is passed to the \u003ccode\u003eqsort\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eqsort\u003c/code\u003e function attempts to sort the extended attributes based on the attacker-controlled length.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated length value, the \u003ccode\u003eqsort\u003c/code\u003e function accesses memory outside the allocated buffer, leading to a use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition allows the attacker to potentially overwrite memory with malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code is executed within the context of the rsync process, granting them control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41035 can lead to arbitrary code execution on the affected system. The impact can range from data corruption to complete system compromise. Given the widespread use of rsync for data synchronization and backups, a successful attack could affect a large number of systems across various sectors. The vulnerability is particularly concerning on non-Linux platforms, where the likelihood of successful exploitation is higher.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade rsync to a version beyond 3.4.1 to patch CVE-2026-41035.\u003c/li\u003e\n\u003cli\u003eImplement the file integrity monitoring rule to detect unauthorized modification of rsync binaries.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect rsync commands using the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option, as those options are required to trigger this vulnerability.\u003c/li\u003e\n\u003cli\u003eWhere possible, disable the use of the \u003ccode\u003e-X\u003c/code\u003e or \u003ccode\u003e--xattrs\u003c/code\u003e option for rsync to prevent exploitation of this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T07:16:31Z","date_published":"2026-04-16T07:16:31Z","id":"/briefs/2026-04-rsync-use-after-free/","summary":"rsync versions 3.0.1 through 3.4.1 are vulnerable to a use-after-free vulnerability in the receive_xattr function during a qsort call, triggered by an untrusted length value when the -X/--xattrs option is used, potentially leading to code execution.","title":"rsync Use-After-Free Vulnerability in Extended Attribute Handling (CVE-2026-41035)","url":"https://feed.craftedsignal.io/briefs/2026-04-rsync-use-after-free/"}],"language":"en","title":"CraftedSignal Threat Feed — Rsync","version":"https://jsonfeed.org/version/1.1"}