Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-41035

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.0%
CVSS Severity
CVSS v3 Score 7.4
Products affected by CVE-2026-41035
  • Samba » Rsync » Version: 3.0.1
    cpe:2.3:a:samba:rsync:3.0.1
  • Samba » Rsync » Version: 3.0.2
    cpe:2.3:a:samba:rsync:3.0.2
  • Samba » Rsync » Version: 3.0.3
    cpe:2.3:a:samba:rsync:3.0.3
  • Samba » Rsync » Version: 3.0.4
    cpe:2.3:a:samba:rsync:3.0.4
  • Samba » Rsync » Version: 3.0.5
    cpe:2.3:a:samba:rsync:3.0.5
  • Samba » Rsync » Version: 3.0.6
    cpe:2.3:a:samba:rsync:3.0.6
  • Samba » Rsync » Version: 3.0.7
    cpe:2.3:a:samba:rsync:3.0.7
  • Samba » Rsync » Version: 3.0.8
    cpe:2.3:a:samba:rsync:3.0.8
  • Samba » Rsync » Version: 3.0.9
    cpe:2.3:a:samba:rsync:3.0.9
  • Samba » Rsync » Version: 3.1.0
    cpe:2.3:a:samba:rsync:3.1.0
  • Samba » Rsync » Version: 3.1.1
    cpe:2.3:a:samba:rsync:3.1.1
  • Samba » Rsync » Version: 3.1.2
    cpe:2.3:a:samba:rsync:3.1.2
  • Samba » Rsync » Version: 3.1.3
    cpe:2.3:a:samba:rsync:3.1.3
  • Samba » Rsync » Version: 3.2.0
    cpe:2.3:a:samba:rsync:3.2.0
  • Samba » Rsync » Version: 3.2.1
    cpe:2.3:a:samba:rsync:3.2.1
  • Samba » Rsync » Version: 3.2.2
    cpe:2.3:a:samba:rsync:3.2.2
  • Samba » Rsync » Version: 3.2.3
    cpe:2.3:a:samba:rsync:3.2.3
  • Samba » Rsync » Version: 3.2.4
    cpe:2.3:a:samba:rsync:3.2.4
  • Samba » Rsync » Version: 3.2.7
    cpe:2.3:a:samba:rsync:3.2.7
  • Samba » Rsync » Version: 3.3.0
    cpe:2.3:a:samba:rsync:3.3.0


Products
Pricing
Contact Us

Shodan ® - All rights reserved