Nixpkgs security tracker

Published

Permalink CVE-2026-41035

7.4 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

updated an hour ago by @LeSuisse Activity log

Created automatic suggestion 11 hours ago
@LeSuisse ignored reference https://g… an hour ago
@LeSuisse ignored
19 packages
- grsync
- rrsync
- rsyncy
- btrsync
- parsync
- librsync
- diskrsync
- openrsync
- vdirsyncer
- sqlite-rsync
- yaziPlugins.rsync
- python313Packages.btrsync
- python314Packages.btrsync
- python312Packages.sysrsync
- python313Packages.sysrsync
- python314Packages.sysrsync
- python312Packages.vdirsyncer
- python313Packages.vdirsyncer
- python314Packages.vdirsyncer
an hour ago
@LeSuisse accepted an hour ago
@LeSuisse published on GitHub an hour ago

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted …

In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.

References

Ignored references (1)

https://github.com/RsyncProject/rsync/releases

Affected products

rsync

=<3.4.1

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

nixos-unstable 3.4.1
- nixpkgs-unstable 3.4.1
- nixos-unstable-small 3.4.1
nixos-25.11 3.4.1
- nixos-25.11-small 3.4.1
- nixpkgs-25.11-darwin 3.4.1

Ignored packages (19)

pkgs.grsync

Synchronize folders, files and make backups

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1
nixos-25.11 1.3.1
- nixos-25.11-small 1.3.1
- nixpkgs-25.11-darwin 1.3.1

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

nixos-unstable 3.4.1
- nixpkgs-unstable 3.4.1
- nixos-unstable-small 3.4.1
nixos-25.11 3.4.1
- nixos-25.11-small 3.4.1
- nixpkgs-25.11-darwin 3.4.1

pkgs.rsyncy

Progress bar wrapper for rsync

nixos-unstable 2.2.0
- nixpkgs-unstable 2.2.0
- nixos-unstable-small 2.2.0
nixos-25.11 2.2.0
- nixos-25.11-small 2.2.0
- nixpkgs-25.11-darwin 2.2.0

pkgs.btrsync

Btrfs replication made easy

nixos-unstable 0.3
- nixpkgs-unstable 0.3
- nixos-unstable-small 0.3

pkgs.parsync

Tool to parallel rsync-like pull sync over SSH

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0

pkgs.librsync

Implementation of the rsync remote-delta algorithm

nixos-unstable 2.3.4
- nixpkgs-unstable 2.3.4
- nixos-unstable-small 2.3.4
nixos-25.11 2.3.4
- nixos-25.11-small 2.3.4
- nixpkgs-25.11-darwin 2.3.4

pkgs.diskrsync

Rsync for block devices and disk images

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.openrsync

BSD-licensed implementation of rsync

nixos-unstable 2025-01-27
- nixpkgs-unstable 2025-01-27
- nixos-unstable-small 2025-01-27
nixos-25.11 2025-01-27
- nixos-25.11-small 2025-01-27
- nixpkgs-25.11-darwin 2025-01-27