CVE-2026-41035
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. T
CVSS
7.4
High
EPSS
0.4%
p32
KEV
—
Exploit Today
9
0-100
Published: Apr 16, 2026 · Last modified: Jul 15, 2026 · CWE-130 · CWE-805
0.4%EPSS · 30 days0.4%
2026-06-302026-07-16
In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.
- github.comhttps://github.com/RsyncProject/rsync/issues/871
- github.comhttps://github.com/RsyncProject/rsync/releases
- www.openwall.comhttps://www.openwall.com/lists/oss-security/2026/04/16/2
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/16/9
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/22/3
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:17481
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19152
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19368
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20601
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20602
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20603
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20604
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:20696
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23233
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23245
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25044
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25149
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25170
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25172
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25173
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-338467.5 HIG66.4%
——20A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.2dCVE-2026-53678.6 HIG54.7%
——16A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.2dCVE-2026-448937.5 HIG44.4%
——13Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue.2dCVE-2026-269558.8 HIG41.6%
——12FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.2dCVE-2026-422169.1 CRI37.3%
——11OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11.2dCVE-2026-80919.8 CRI35.6%
——11Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.2d