This security update addresses two vulnerabilities in rsync: an out-of-bounds array access via negative index (CVE-2025-10158, CVSS 4.3 MEDIUM) and a use-after-free flaw in extended attribute handling (CVE-2026-41035, CVSS 7.4 HIGH). The use-after-free vulnerability affects rsync versions 3.0.1 through 3.4.1. Red Hat has rated this update as Important and released patched packages for Red Hat Enterprise Linux 9.4 Extended Update Support and related variants.
Red Hat Product Errata RHSA-2026:20604 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20604 - Security Advisory Overview Updated Packages Synopsis Important: rsync security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for rsync is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix(es): rsync: Rsync: Out of bounds array access via negative index (CVE-2025-10158) rsync: Rsync: Use-after-free vulnerability in extended attribute handling (CVE-2026-41035) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x Fixes BZ - 2415637 - CVE-2025-10158 rsync: Rsync: Out of bounds array access via negative index BZ - 2458898 - CVE-2026-41035 rsync: Rsync: Use-after-free vulnerability in extended attribute handling CVEs CVE-2025-10158 CVE-2026-41035 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de x86_64 rsync-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: e0881c36409d621556e373b0a3758a224ceac1ca2f535a54844bab1985e562dd rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: 8cba197065c9cda42a45bcd8667e12d3ef2bf6bf7d8b50fc79e0d9a04399fe2f rsync-debugsource-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: bb1a7fa2bb239cf08956f1cf0a4861a818d1501e887cf9efcec5662d4b68f55e Red Hat Enterprise Linux Server - AUS 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de x86_64 rsync-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: e0881c36409d621556e373b0a3758a224ceac1ca2f535a54844bab1985e562dd rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: 8cba197065c9cda42a45bcd8667e12d3ef2bf6bf7d8b50fc79e0d9a04399fe2f rsync-debugsource-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: bb1a7fa2bb239cf08956f1cf0a4861a818d1501e887cf9efcec5662d4b68f55e Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de s390x rsync-3.2.3-19.el9_4.3.s390x.rpm SHA-256: e151a64c82ccc5e50437d0e34e4c683d06d7d6de50b648be7117f8defe76763e rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.s390x.rpm SHA-256: e3062781e665a886be3e4a01c73160b86f9666861322368aab6a7716fbe576c3 rsync-debugsource-3.2.3-19.el9_4.3.s390x.rpm SHA-256: 237b80f0856fe2cb0bdcf5441bbb2b5c306605987cc3175f3fe39e4776b47c30 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de ppc64le rsync-3.2.3-19.el9_4.3.ppc64le.rpm SHA-256: 58bad9f1a01bda9e21e65136bb6d7a023d3b6cc75162ffe128f2f16c9289f788 rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.ppc64le.rpm SHA-256: ce4e1896dafa26d98b21123e4f0adb902221297c07f102264dc864ab44d695e9 rsync-debugsource-3.2.3-19.el9_4.3.ppc64le.rpm SHA-256: 214eb7fcb9115bbbdddf80eff927e8e34bee4bc52829f66a9504a37313fe62bb Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de aarch64 rsync-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: 3b72f50feb6b4995a8763f439ae80052bf716baf02fd915536a553ffc69296bd rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: f3bc6e08254d1a802033ee16a5dd7b4887222f07afe7eeb18dea3fe11bf05a0c rsync-debugsource-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: 44e94e9f694ee5a6797b77849ffde4b0db15776698df6d0841261345ea4d1630 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de ppc64le rsync-3.2.3-19.el9_4.3.ppc64le.rpm SHA-256: 58bad9f1a01bda9e21e65136bb6d7a023d3b6cc75162ffe128f2f16c9289f788 rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.ppc64le.rpm SHA-256: ce4e1896dafa26d98b21123e4f0adb902221297c07f102264dc864ab44d695e9 rsync-debugsource-3.2.3-19.el9_4.3.ppc64le.rpm SHA-256: 214eb7fcb9115bbbdddf80eff927e8e34bee4bc52829f66a9504a37313fe62bb Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de x86_64 rsync-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: e0881c36409d621556e373b0a3758a224ceac1ca2f535a54844bab1985e562dd rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: 8cba197065c9cda42a45bcd8667e12d3ef2bf6bf7d8b50fc79e0d9a04399fe2f rsync-debugsource-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: bb1a7fa2bb239cf08956f1cf0a4861a818d1501e887cf9efcec5662d4b68f55e Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de aarch64 rsync-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: 3b72f50feb6b4995a8763f439ae80052bf716baf02fd915536a553ffc69296bd rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: f3bc6e08254d1a802033ee16a5dd7b4887222f07afe7eeb18dea3fe11bf05a0c rsync-debugsource-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: 44e94e9f694ee5a6797b77849ffde4b0db15776698df6d0841261345ea4d1630 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de s390x rsync-3.2.3-19.el9_4.3.s390x.rpm SHA-256: e151a64c82ccc5e50437d0e34e4c683d06d7d6de50b648be7117f8defe76763e rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.s390x.rpm SHA-256: e3062781e665a886be3e4a01c73160b86f9666861322368aab6a7716fbe576c3 rsync-debugsource-3.2.3-19.el9_4.3.s390x.rpm SHA-256: 237b80f0856fe2cb0bdcf5441bbb2b5c306605987cc3175f3fe39e4776b47c30 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de x86_64 rsync-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: e0881c36409d621556e373b0a3758a224ceac1ca2f535a54844bab1985e562dd rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: 8cba197065c9cda42a45bcd8667e12d3ef2bf6bf7d8b50fc79e0d9a04399fe2f rsync-debugsource-3.2.3-19.el9_4.3.x86_64.rpm SHA-256: bb1a7fa2bb239cf08956f1cf0a4861a818d1501e887cf9efcec5662d4b68f55e Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 SRPM rsync-3.2.3-19.el9_4.3.src.rpm SHA-256: d6a575fba5593747a5f4cea8bd581f8a578a71d4aa931948357a2513405b17de aarch64 rsync-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: 3b72f50feb6b4995a8763f439ae80052bf716baf02fd915536a553ffc69296bd rsync-daemon-3.2.3-19.el9_4.3.noarch.rpm SHA-256: 1fc2ff4d9ec829b54efefb5fa474fd4cf7d5e0e5a8c5ebefc61446cc8ebed185 rsync-debuginfo-3.2.3-19.el9_4.3.aarch64.rpm SHA-256: f3bc6e08254d1a802033ee16a5dd7b4887222f07afe7eeb18dea3fe11bf05a0c rsync-debugsource-3.2.3-19.el9_4.3.aarch6