Brief Summary: Rsync CVE-2026-41035 Use After Free in Extended Attribute Processing

Introduction

A use after free condition in rsync's extended attribute handling allows a malicious sender to corrupt the memory of any receiver process that has extended attributes enabled, affecting every rsync version from 3.0.1 through 3.4.1. The practical exposure is significant: rsync underpins countless backup pipelines, mirror infrastructure, and deployment workflows, and the vulnerable configuration is a single commonly used flag (-X or --xattrs).

Technical Information

Root Cause: Wire Count vs. Actual Count in qsort

The vulnerability lives in the receive_xattr function in xattrs.c. When rsync receives extended attributes from a remote sender, it reads a count value directly from the wire protocol. Memory is allocated based on this count, and the function begins populating an array of attribute entries. However, not all received attributes survive the intake process. Namespace rules and user defined filters can cause certain attributes to be discarded, meaning the actual number of valid entries in the array is lower than the wire supplied count.

The problem is that the subsequent qsort call uses the original wire count as the element count parameter rather than the number of attributes that were actually accepted. When attributes have been filtered out, the trailing slots in the array contain either uninitialized memory or stale data left over from previously processed files. The qsort function reads, compares, and rearranges these stale entries as if they were valid, inserting them into the active attribute list.

This is classified under CWE-130: Improper Handling of Length Parameter Inconsistency.

Exploitation Primitives

Once stale entries are sorted into the active list, they create dangling pointers to heap allocations that have already been freed. The vulnerability reporter identified several concrete exploitation primitives available on stock rsync builds:

Read after free: Stale pointers are dereferenced during checksum comparisons and name copying operations, allowing an attacker to influence control flow based on freed heap contents.
Double free: Stale pointers are freed multiple times during cleanup, corrupting the heap allocator's internal state.
Information disclosure: Heap layout information can be leaked to the filesystem when stale attribute values are written as extended attributes on the receiver side.
Denial of service: The memory corruption reliably crashes the receiver process with a segmentation fault, which is the most straightforward and reproducible outcome.

Attack Flow

An attacker exploiting this vulnerability would operate as a malicious rsync sender (or compromise an existing sender). The attack proceeds as follows:

The victim initiates or accepts an rsync transfer with the -X (extended attributes) flag enabled.
The malicious sender crafts a file list that includes extended attributes designed to trigger filtering on the receiver side. The wire count is set higher than the number of attributes the receiver will actually accept.
The receiver's receive_xattr function processes the incoming attributes, filters some out, but retains the original wire count.
The qsort call operates on the full array including stale slots, promoting dangling pointers into the active attribute list.
Subsequent operations on these dangling pointers produce the exploitation primitives described above.

Platform Vulnerability Matrix

The exact trigger conditions depend heavily on the operating system and rsync configuration:

Operating System	Configuration	Status	Reason
Linux	Receiver running with fake super	Vulnerable	Non user attributes are prefixed and sorted
Linux	Non root receiver with attribute filter	Vulnerable	Filtered attributes trigger the sorting logic
Linux	Root receiver without fake super	Not Vulnerable	Attributes are accepted without filtering, so the count mismatch does not occur
FreeBSD and macOS	Any receiver with extended attributes	Vulnerable	Sorting is unconditionally enabled regardless of privilege level

Linux exposure is highly dependent on the exact command line flags in use. Non Linux platforms, particularly FreeBSD and macOS, face a broader exposure profile because the vulnerable sorting path is always taken when extended attributes are requested.

Proposed Source Fix

The vulnerability reporter proposed a minimal fix that corrects the element count passed to qsort:

if (need_sort && temp_xattr.count > 1)
    qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);

This ensures qsort only operates on the actual number of accepted attributes (temp_xattr.count) rather than the wire supplied value, preventing stale data from being sorted into the active list.

Affected Systems and Versions

The vulnerability affects rsync versions 3.0.1 through 3.4.1, as well as the current development head at the time of disclosure. Exploitation requires the victim to run rsync with the -X or --xattrs flag.

Specific vulnerable configurations include:

Linux: Receivers running with --fake-super, or non root receivers using attribute filters. Root receivers without fake super are not affected.
FreeBSD: All receivers using extended attributes, regardless of privilege level.
macOS: All receivers using extended attributes, regardless of privilege level.

Vendor Security History

The rsync project addressed a significant batch of security issues in January 2025 with the release of version 3.4.0, which was explicitly labeled a critical security release. That update resolved multiple heap buffer overflows and information leak vulnerabilities. The project's track record of responding to security disclosures, combined with the recent return of original author Andrew Tridgell to maintainer duties, suggests that a formal patch for CVE-2026-41035 will follow in a timely manner.

CVE Analysis

Experimental AI-Generated Content

Introduction

Technical Information