Skip to main content

Rsync CVE-2026-43618

| EUVDEUVD-2026-31011 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-20 VulnCheck GHSA-88m5-cm5m-2596
6.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Severity Changed
May 20, 2026 - 02:22 NVD
HIGH MEDIUM
CVSS changed
May 20, 2026 - 02:22 NVD
8.1 (HIGH) 6.1 (MEDIUM)
Patch available
May 20, 2026 - 02:01 EUVD
Source Code Evidence Fetched
May 20, 2026 - 01:45 vuln.today
Analysis Generated
May 20, 2026 - 01:45 vuln.today

DescriptionCVE.org

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.

AnalysisAI

Information disclosure in Rsync 3.4.2 and prior allows an authenticated remote sender to leak receiver process memory through an integer overflow in the compressed-token decoder. The flaw exposes environment variables, credentials, heap and stack contents, and library pointers, weakening ASLR and enabling follow-on exploitation; no public exploit identified at time of analysis, but Rsync 3.4.3 bundles the security fix.

Technical ContextAI

Rsync is a widely deployed file synchronization utility (cpe:2.3:a:rsyncproject:rsync) that uses a compressed-token protocol to efficiently transmit file deltas between sender and receiver. The vulnerability is rooted in CWE-190 (Integer Overflow or Wraparound): a 32-bit signed counter inside the compressed-token decoder is incremented without bounds checking, so a malicious sender can craft tokens that wrap the counter past INT_MAX. Because the receiver subsequently uses the wrapped value as an offset/length for buffer reads, the integer overflow translates directly into an out-of-bounds read against the receiver's address space, returning that memory back over the wire to the attacker-controlled peer.

RemediationAI

Vendor-released patch: Rsync 3.4.3 - upgrade all rsync clients, servers, and rsyncd daemons to 3.4.3 or later as tracked at https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 and described in the upstream advisory https://github.com/RsyncProject/rsync/security/advisories/GHSA-g37v-g3gj-pmwq. Until distribution packages catch up, restrict who can act as a sender against your receivers by binding rsyncd to trusted networks, enforcing 'hosts allow'/'hosts deny' in rsyncd.conf and requiring 'auth users' with 'secrets file', and tunneling rsync over SSH with key-based authentication and forced commands so only vetted peers can initiate transfers; these controls reduce exposure but do not remove the underlying flaw and add operational overhead for legitimate mirror or backup clients. Avoid disabling compression as a workaround unless the vendor explicitly identifies a configuration toggle that bypasses the vulnerable token decoder, since the described primitive is in the decoder logic itself rather than gated by an optional feature.

More in Rsync

View all
CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

CVE-2024-12084 CRITICAL POC
9.8 Jan 15

A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2014-9512 MEDIUM POC
6.4 Feb 12

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization pa

CVE-2024-12087 HIGH POC
7.5 Jan 14

Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i

CVE-2022-29154 HIGH POC
7.4 Aug 02

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the d

CVE-2014-2855 HIGH
7.8 Apr 23

The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of serv

CVE-2024-12086 MEDIUM POC
6.8 Jan 14

A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authenticati

CVE-2017-16548 CRITICAL
9.8 Nov 06

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character

CVE-2017-17434 CRITICAL
9.8 Dec 06

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_

CVE-2017-15994 CRITICAL
9.8 Oct 29

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to by

CVE-2024-12088 HIGH
7.5 Jan 14

Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious

CVE-2026-41035 HIGH
7.8 Apr 16

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync w

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Image SLE-Micro-BYOS-EC2 Affected
Image SLES15-SP6 Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-BYOS-GCE Image SLES15-SP6-GCE Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-BYOS-GCE Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-HPC-GCE Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-Hardened-BYOS-GCE Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-GCE Image SLES15-SP7-HPC-BYOS-Azure Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed

Share

CVE-2026-43618 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy