Skip to main content

rsync CVE-2026-45232

| EUVDEUVD-2026-31009 LOW
Off-by-one Error (CWE-193)
2026-05-20 VulnCheck
2.1
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
May 20, 2026 - 02:22 NVD
3.1 (LOW) 2.1 (LOW)
Patch available
May 20, 2026 - 02:01 EUVD
Source Code Evidence Fetched
May 20, 2026 - 01:44 vuln.today
Analysis Generated
May 20, 2026 - 01:44 vuln.today

DescriptionCVE.org

Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.

AnalysisAI

Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.

Technical ContextAI

The root cause is CWE-193 (Off-by-One Error) in the establish_proxy_connection() function in socket.c. The function reads an HTTP CONNECT proxy response into a fixed 1024-byte stack buffer but does not account for the null terminator when checking the response length boundary. When the proxy returns a response line of 1023 or more bytes without a newline, the code writes a null byte to an address one position beyond the buffer's end, corrupting adjacent stack memory. This code path is only invoked when the RSYNC_PROXY environment variable is configured, directing rsync to tunnel connections through an HTTP CONNECT proxy. CPE cpe:2.3:a:rsyncproject:rsync:*:*:*:*:*:*:*:* confirms all rsync versions prior to 3.4.3 carry the vulnerable code.

RemediationAI

Upgrade rsync to version 3.4.3, which includes the combined security fixes released by the RsyncProject team. The patched release is available at https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 and the authoritative advisory is at https://github.com/RsyncProject/rsync/security/advisories/GHSA-8f85-j2cv-59m8. For environments that cannot upgrade immediately, the most effective compensating control is to unset the RSYNC_PROXY environment variable from all rsync invocations and system-level environments (e.g., /etc/environment, systemd unit files, cron job wrappers). Because the vulnerable code path in establish_proxy_connection() is only reachable when RSYNC_PROXY is defined, removing this variable completely eliminates the attack surface with no functional impact for deployments that do not rely on HTTP proxy tunneling for rsync. Organizations using rsync through an HTTP proxy should also audit whether the proxy endpoint is exposed to untrusted network positions.

More in Rsync

View all
CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

CVE-2024-12084 CRITICAL POC
9.8 Jan 15

A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2014-9512 MEDIUM POC
6.4 Feb 12

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization pa

CVE-2024-12087 HIGH POC
7.5 Jan 14

Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i

CVE-2022-29154 HIGH POC
7.4 Aug 02

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the d

CVE-2014-2855 HIGH
7.8 Apr 23

The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of serv

CVE-2024-12086 MEDIUM POC
6.8 Jan 14

A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authenticati

CVE-2017-16548 CRITICAL
9.8 Nov 06

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character

CVE-2017-17434 CRITICAL
9.8 Dec 06

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_

CVE-2017-15994 CRITICAL
9.8 Oct 29

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to by

CVE-2024-12088 HIGH
7.5 Jan 14

Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious

CVE-2026-41035 HIGH
7.8 Apr 16

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync w

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-45232 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy