CVE-2026-41035: rsync receiver use-after-free

Note

Executive Summary

rsync versions 3.0.1 through 3.4.1 contain a use-after-free vulnerability in the receive_xattr function, triggered when the -X (--xattrs) flag is used. An attacker could potentially achieve remote code execution or crash the service.

Technical Analysis

The vulnerability exists in receive_xattr where an untrusted length value is utilized during a qsort operation. This leads to a receiver use-after-free scenario. The issue is classified as CWE-130: Improper Handling of Length Parameter Inconsistency. The vulnerability specifically impacts configurations where extended attributes are enabled, which is a common setup in many Linux environments.

1. Identify Usage: Confirm if rsync is executed with the -X or --xattrs flag in system automation or manual user scripts.
2. Version Check: Verify if the installed rsync version falls within the vulnerable range (3.0.1 - 3.4.1).
3. Environment Audit: Assess exposure on non-Linux platforms, which are noted to be more widely vulnerable to this flaw.

Forensic Investigation

Forensic analysis should focus on identifying rsync execution patterns.

• Log Analysis: Search system logs for rsync commands utilizing -X or --xattrs.
• Process Monitoring: Audit process execution history to identify malicious arguments or anomalous rsync invocations.

Detection and Mitigation

Detection

Monitor command-line arguments for rsync processes. Alert on execution of rsync with -X or --xattrs flags on affected versions.

Mitigation

Update rsync to a patched version beyond 3.4.1. If patching is not immediately feasible, disable the use of extended attributes (-X / --xattrs) in rsync configurations.

Sources

• Openwall - oss-security
• Rsync Project Issues
• Rsync Releases