Bug 2458898 (CVE-2026-41035)

Summary: CVE-2026-41035 rsync: Rsync: Use-after-free vulnerability in extended attribute handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in rsync. When rsync is configured to handle extended attributes (using the -X or --xattrs option), a remote attacker can exploit a use-after-free vulnerability. This occurs because the receive_xattr function incorrectly processes an untrusted length value during a sorting operation, leading to memory corruption. Successful exploitation can result in a denial of service, causing the rsync process to crash, and may potentially allow for arbitrary code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2459113, 2459114, 2459115    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-16 08:01:17 UTC
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

Comment 5 errata-xmlrpc 2026-05-14 09:19:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:17481 https://access.redhat.com/errata/RHSA-2026:17481

Comment 6 errata-xmlrpc 2026-05-19 16:09:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19152 https://access.redhat.com/errata/RHSA-2026:19152

Comment 7 errata-xmlrpc 2026-05-19 21:41:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19368 https://access.redhat.com/errata/RHSA-2026:19368

Comment 11 errata-xmlrpc 2026-05-26 04:17:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:20601 https://access.redhat.com/errata/RHSA-2026:20601

Comment 12 errata-xmlrpc 2026-05-26 04:49:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:20602 https://access.redhat.com/errata/RHSA-2026:20602

Comment 13 errata-xmlrpc 2026-05-26 05:01:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:20604 https://access.redhat.com/errata/RHSA-2026:20604

Comment 14 errata-xmlrpc 2026-05-26 05:16:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20603 https://access.redhat.com/errata/RHSA-2026:20603

Comment 15 errata-xmlrpc 2026-05-26 09:13:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:20696 https://access.redhat.com/errata/RHSA-2026:20696

Comment 16 errata-xmlrpc 2026-06-10 09:16:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:23245 https://access.redhat.com/errata/RHSA-2026:23245

Comment 17 errata-xmlrpc 2026-06-11 00:17:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:25149 https://access.redhat.com/errata/RHSA-2026:25149

Comment 18 errata-xmlrpc 2026-06-11 01:37:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:25170 https://access.redhat.com/errata/RHSA-2026:25170

Comment 19 errata-xmlrpc 2026-06-11 02:16:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:25172 https://access.redhat.com/errata/RHSA-2026:25172

Comment 20 errata-xmlrpc 2026-06-11 02:41:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support  - EXTENSION

Via RHSA-2026:25173 https://access.redhat.com/errata/RHSA-2026:25173

Comment 21 errata-xmlrpc 2026-06-11 06:24:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On

Via RHSA-2026:25190 https://access.redhat.com/errata/RHSA-2026:25190

Comment 22 errata-xmlrpc 2026-06-11 07:53:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:23233 https://access.redhat.com/errata/RHSA-2026:23233

Comment 23 errata-xmlrpc 2026-06-17 17:17:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:25181 https://access.redhat.com/errata/RHSA-2026:25181

Comment 24 errata-xmlrpc 2026-06-18 15:07:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:25044 https://access.redhat.com/errata/RHSA-2026:25044

Comment 26 errata-xmlrpc 2026-06-25 10:38:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:26542 https://access.redhat.com/errata/RHSA-2026:26542

Comment 27 errata-xmlrpc 2026-07-01 11:16:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:28887 https://access.redhat.com/errata/RHSA-2026:28887