Skip to main content

Rsync CVE-2026-43620

| EUVDEUVD-2026-31012 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-20 VulnCheck GHSA-jmf6-74r8-6c28
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
May 20, 2026 - 02:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
Patch available
May 20, 2026 - 02:01 EUVD
Source Code Evidence Fetched
May 20, 2026 - 01:44 vuln.today
Analysis Generated
May 20, 2026 - 01:44 vuln.today

DescriptionCVE.org

Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.

AnalysisAI

Receiver-side out-of-bounds array read in Rsync 3.4.2 and earlier allows a malicious rsync server to deterministically crash any connecting client process via a crafted synchronization session. The flaw in recv_files() causes the client to dereference an invalid pointer at an unmapped address, producing a reliable SIGSEGV. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the crash is described as deterministic, meaning any attacker controlling or impersonating an rsync server can reliably deny service to clients that connect.

Technical ContextAI

Rsync is a widely deployed file-synchronization utility (cpe:2.3:a:rsyncproject:rsync:*:*:*:*:*:*:*:*) used in backup pipelines, CI/CD workflows, and OS package mirroring. The vulnerability resides in recv_files() within receiver.c, the client-side function responsible for processing the file list and transfer records sent by the server during a sync session. The root cause is CWE-125 (Out-of-Bounds Read): when the CF_INC_RECURSE compatibility flag is active, the receiver iterates a sorted file list and unconditionally uses ndx=0 as an array index without verifying whether a valid leading dot-directory entry occupies position zero. A malicious server can omit the expected dot-directory as the first sorted entry and then send a transfer record with ndx=0 carrying an iflag word that lacks the ITEM_TRANSFER bit, causing the receiver to read 8 bytes before the start of the allocated pointer array and dereference whatever invalid address it finds there. The absence of bounds checking before pointer arithmetic is the direct technical failure.

RemediationAI

The primary fix is upgrading rsync to version 3.4.3, which bundles security fixes for this and potentially other issues addressed in PR #895 ('combined security fixes for 3.4.3 release'). The patched release is available at https://github.com/RsyncProject/rsync/releases/tag/v3.4.3. Distributions packaging rsync should apply the upstream 3.4.3 release; users on systems awaiting distro patches should build from source. As a compensating control where upgrading is not immediately possible, restrict rsync client connections to trusted, authenticated servers only - for example, by routing all rsync sessions over SSH (rsync -e ssh) with strict host key checking enabled, which prevents connections to attacker-controlled endpoints and thus eliminates the attack surface. Additionally, review and audit any automated cron jobs or pipeline scripts that sync from public or third-party rsync mirrors, and consider temporarily disabling or pausing those jobs until patched. Blocking network paths to untrusted rsync servers (TCP 873) at the perimeter is a coarser control with the trade-off of disrupting legitimate mirror traffic.

More in Rsync

View all
CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

CVE-2024-12084 CRITICAL POC
9.8 Jan 15

A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2014-9512 MEDIUM POC
6.4 Feb 12

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization pa

CVE-2024-12087 HIGH POC
7.5 Jan 14

Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i

CVE-2022-29154 HIGH POC
7.4 Aug 02

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the d

CVE-2014-2855 HIGH
7.8 Apr 23

The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of serv

CVE-2024-12086 MEDIUM POC
6.8 Jan 14

A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authenticati

CVE-2017-16548 CRITICAL
9.8 Nov 06

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character

CVE-2017-17434 CRITICAL
9.8 Dec 06

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_

CVE-2017-15994 CRITICAL
9.8 Oct 29

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to by

CVE-2024-12088 HIGH
7.5 Jan 14

Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious

CVE-2026-41035 HIGH
7.8 Apr 16

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync w

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Image SLE-Micro-BYOS-EC2 Affected
Image SLES15-SP6 Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-BYOS-GCE Image SLES15-SP6-GCE Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-BYOS-GCE Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-HPC-GCE Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-Hardened-BYOS-GCE Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-GCE Image SLES15-SP7-HPC-BYOS-Azure Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed

Share

CVE-2026-43620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy