{ "affected": [ { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.20", "name": "rsync", "purl": "pkg:apk/alpine/rsync?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.4.1-r2" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.21", "name": "rsync", "purl": "pkg:apk/alpine/rsync?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.4.1-r2" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.22", "name": "rsync", "purl": "pkg:apk/alpine/rsync?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.4.1-r2" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.23", "name": "rsync", "purl": "pkg:apk/alpine/rsync?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.4.1-r2" } ], "type": "ECOSYSTEM" } ] } ], "details": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "id": "ALPINE-CVE-2026-41035", "modified": "2026-04-24T17:18:08.408433450Z", "published": "2026-04-16T07:16:31.003Z", "references": [ { "type": "ADVISORY", "url": "https://security.alpinelinux.org/vuln/CVE-2026-41035" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "type": "CVSS_V3" } ], "upstream": [ "CVE-2026-41035" ] }