2 matches found
CLSA-2026-1780062116 Fix CVE(s): CVE-2026-41035
SECURITY UPDATE: use-after-free in receivexattr - debian/patches/CVE-2026-41035.patch: replace stale local 'count' with tempxattr.count in the qsort call inside receivexattr, so the sort uses the live size of the rebuilt xattr items list; victim must run rsync with -X / --xattrs - CVE-2026-41035...
PT-2026-33280
Name of the Vulnerable Software and Affected Versions rsync versions 3.0.1 through 3.4.1 Description The receive xattr function relies on an untrusted length value during a qsort call, which can lead to a use-after-free condition on the receiver side. This occurs when the victim runs the software...