Advisories » MGASA-2026-0101

Updated rsync packages fix security vulnerability

Publication date: 18 Apr 2026
Modification date: 18 Apr 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41035

Description

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted
length value during a qsort call, leading to a receiver use-after-free.
The victim must run rsync with -X (aka --xattrs). On Linux, many (but
not all) common configurations are vulnerable. Non-Linux platforms are
more widely vulnerable. (CVE-2026-41035)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35373
• https://www.openwall.com/lists/oss-security/2026/04/16/2
• https://www.openwall.com/lists/oss-security/2026/04/16/9
• https://github.com/RsyncProject/rsync/issues/871
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41035

SRPMS

9/core

• rsync-3.2.7-1.4.mga9