Back

SUSE rsync Update Addresses Multiple Vulnerabilities

Severity: High (Score: 60.8)

Sources: Linuxsecurity

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: rsync, update, suse, use-after-free, important, issue, fixes

Severity indicators: vulnerabilities, issue

Summary

SUSE has released an important update for rsync addressing multiple vulnerabilities, including CVE-2026-29518, CVE-2026-41035, and others. The most critical issue, CVE-2026-41035, involves a count of entries mismatch that can lead to a use-after-free condition. Other vulnerabilities include symlink race conditions and integer overflow issues, which could allow unauthorized access or information disclosure. The vulnerabilities affect various SUSE systems, including SUSE Linux Micro 6.1. Administrators are advised to apply the patches using recommended methods such as 'zypper patch'. The update was released on May 21, 2026, following the publication of several CVEs just days prior. This patch is crucial for maintaining system security and preventing potential exploitation. Key Points: • SUSE released an important update for rsync addressing multiple vulnerabilities. • CVE-2026-41035 is a critical use-after-free vulnerability affecting SUSE systems. • Administrators should apply the patches immediately to mitigate risks.

Detailed Analysis

**Impact** SUSE Linux users, including those running SUSE Linux Micro 6.1, are affected by multiple vulnerabilities in the rsync utility. The flaws could lead to unauthorized access, use-after-free conditions, information disclosure, and potential denial of service, impacting systems across various sectors relying on SUSE distributions globally. The vulnerabilities pose risks to data integrity and confidentiality, particularly in environments where rsync is used for file synchronization and backup. **Technical Details** The vulnerabilities include CVE-2026-29518 (Symlink-Race TOCTOU), CVE-2026-41035 (use-after-free due to count of entries mismatch), CVE-2026-43617 (authorization bypass via hostname resolution), CVE-2026-43618 (integer overflow information disclosure), CVE-2026-43619 (symlink race condition), CVE-2026-43620 (out-of-bounds array read), and CVE-2026-45232 (off-by-one stack out-of-bounds write). Exploitation vectors involve daemon race conditions, hostname resolution bypass, and malformed proxy responses. No specific malware, tools, or IOCs are provided in the articles. **Recommended Response** Apply the SUSE-provided patches immediately using YaST online_update or the "zypper patch" command, with specific instructions for SUSE Linux Micro 6.1 (e.g., `zypper in -t patch SUSE-SLE-Micro-6.1-527=1`). Prioritize patching CVE-2026-41035 due to its use-after-free impact. Monitor for unusual rsync daemon activity and unauthorized hostname resolutions. No additional detection signatures or IOCs are currently available.

Source articles (2)

  • SUSE rsync Important Update Addressing Multiple Vulnerabilities 2026-2038 — Linuxsecurity · 2026-05-21
    ## This update for rsync fixes the following issues * CVE-2026-29518: Symlink-Race TOCTOU in Daemon (bsc#1264511). * CVE-2026-41035: Count of entries mismatch can lead to a use-after-free (bsc#1262223…
  • SUSE Linux Micro 6.1 rsync Important Use-After-Free Issue 2026-21686 — Linuxsecurity · 2026-05-21
    ## This update for rsync fixes the following issue * CVE-2026-41035: count of entries mismatch can lead to a use-after-free (bsc#1262223). ## Patch Instructions: To install this SUSE update use the SU…

Timeline

  • 2025-01-14 — CVE-2024-12085 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-01-15 — CVE-2024-12084 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-16 — CVE-2026-41035 published: CVE-2026-41035 disclosed, detailing a use-after-free vulnerability in rsync.
  • 2026-05-20 — Multiple CVEs published: CVE-2026-29518, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, CVE-2026-43620, and CVE-2026-45232 were disclosed, highlighting various vulnerabilities in rsync.
  • 2026-05-20 — CVE-2026-43619 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-29518 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-45232 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-43620 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-43617 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-43618 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2024-12084
  • CVE-2024-12085
  • CVE-2026-29518
  • CVE-2026-41035
  • CVE-2026-43617
  • CVE-2026-43618
  • CVE-2026-43619
  • CVE-2026-43620
  • CVE-2026-45232

Related entities

  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-362 - Race Condition (Cwe)
  • Cwe-416 - Use After Free (Cwe)
  • Cwe-787 - Out-of-bounds Write (Cwe)
  • Linux (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed