PatchSiren cyber security CVE debrief

CVE-2026-41035 Samba CVE debrief

CVE-2026-41035 is a high-severity rsync flaw in which receive_xattr trusts an untrusted length value during a qsort call, leading to a receiver use-after-free. Exposure depends on running rsync with -X/--xattrs, with broader platform impact on non-Linux systems and many, but not all, common Linux configurations.

Vendor: Samba
Product: rsync
CVSS: HIGH 7.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-16
Original CVE updated: 2026-05-21
Advisory published: 2026-04-16
Advisory updated: 2026-05-21

Who should care

Administrators and developers who run or ship rsync with xattr support enabled, especially backup systems, file synchronization services, distro maintainers, and anyone exchanging data with untrusted peers or sources over rsync.

Technical summary

NVD describes the issue as affecting rsync versions 3.0.1 through 3.4.1. The receiver-side receive_xattr path relies on an untrusted length value during qsort, which can lead to a use-after-free. The CVSS vector published by NVD is AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, and the description notes that the victim must run rsync with --xattrs (-X).

Defensive priority

High: patch promptly if rsync is exposed to untrusted transfers or used in automated sync/backup workflows with --xattrs enabled.

Recommended defensive actions

Check whether any rsync deployments use -X/--xattrs and whether they accept data from untrusted or semi-trusted peers.
Upgrade rsync to a version outside the affected range (3.0.1 through 3.4.1) using the vendor or upstream release notes linked from the CVE record.
Prioritize internet-facing or multi-tenant rsync services, then backup and replication jobs that process data from external systems.
If immediate upgrading is not possible, reduce exposure by disabling xattr transfer where operationally acceptable and restricting who can connect to rsync services.
Review platform-specific risk: non-Linux systems are described as more widely vulnerable, while Linux exposure varies by configuration.

Evidence notes

This debrief is based on the official NVD CVE record and linked references. The NVD metadata lists affected rsync versions 3.0.1 through 3.4.1, the CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, and CWE-130. The CVE description states that receive_xattr uses an untrusted length value during qsort, causing a receiver use-after-free, and that -X/--xattrs must be enabled. Linked references include the rsync issue tracker entry, rsync release notes, and oss-security advisories/discussion posts dated 2026-04-16 and 2026-04-22.

Official resources

CVE-2026-41035 CVE record
CVE.org
CVE-2026-41035 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Release Notes
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory

Publicly disclosed on 2026-04-16, with the NVD record last modified on 2026-05-21.