CVE-2026-43620
Rsync Client Out-of-Bounds Read Vulnerability
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rsync | rsync | to 3.4.3 (exc) |
| rsync | rsync | From 3.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43620 is a vulnerability in rsync versions prior to 3.4.3 that allows a malicious rsync server to crash any client pulling data from it through a receiver-side out-of-bounds array read.
The issue occurs in the recv_files() function when a malicious server sends a specially crafted file list with specific flags and indices, causing the client to read memory outside the allocated buffer.
This leads to a segmentation fault (SIGSEGV) due to dereferencing invalid memory, effectively causing a denial-of-service (DoS) condition on the rsync client.
The attack exploits the CF_INC_RECURSE compatibility flag and a crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word missing the ITEM_TRANSFER flag.
How can this vulnerability impact me? :
This vulnerability can cause the rsync client process to crash deterministically when connecting to a malicious rsync server.
The impact is primarily a denial-of-service (DoS) condition, where the availability of the rsync client is disrupted.
Since the attack does not require special client-side options and works with default protocol settings, any client pulling data from a malicious server is at risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes the rsync client process to crash with a segmentation fault (SIGSEGV) when connecting to a malicious rsync server that sends a specially crafted file list.
Detection can be performed by monitoring rsync client processes for unexpected crashes or segmentation faults during data pulls from rsync servers.
A practical approach is to run rsync commands against suspected servers and observe if the client crashes deterministically.
- Use a standard rsync pull command such as: rsync -av rsync://malicious-server/path/ /tmp/test
- Monitor system logs (e.g., dmesg, /var/log/syslog) for segmentation fault messages related to the rsync client.
- Use debugging tools like gdb to trace rsync client crashes if reproducible.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade rsync to version 3.4.3 or later, where the vulnerability has been fixed by adding a guard against the out-of-bounds access.
If immediate upgrade is not possible, a temporary workaround is to disable the inc_recurse protocol feature on the client side by using the --no-inc-recursive option in rsync commands.
Note that disabling inc_recurse may impact performance for large transfers.
- Upgrade rsync to version 3.4.3 or later.
- Use rsync with the --no-inc-recursive option to disable the vulnerable feature temporarily.
- Monitor rsync client behavior and logs for any crashes or anomalies.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details on how the CVE-2026-43620 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.