Executive Summary

CVE-2026-43620 is a vulnerability in rsync versions prior to 3.4.3 that allows a malicious rsync server to crash any client pulling data from it through a receiver-side out-of-bounds array read.

The issue occurs in the recv_files() function when a malicious server sends a specially crafted file list with specific flags and indices, causing the client to read memory outside the allocated buffer.

This leads to a segmentation fault (SIGSEGV) due to dereferencing invalid memory, effectively causing a denial-of-service (DoS) condition on the rsync client.

The attack exploits the CF_INC_RECURSE compatibility flag and a crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word missing the ITEM_TRANSFER flag.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the rsync client process to crash deterministically when connecting to a malicious rsync server.

The impact is primarily a denial-of-service (DoS) condition, where the availability of the rsync client is disrupted.

Since the attack does not require special client-side options and works with default protocol settings, any client pulling data from a malicious server is at risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the rsync client process to crash with a segmentation fault (SIGSEGV) when connecting to a malicious rsync server that sends a specially crafted file list.

Detection can be performed by monitoring rsync client processes for unexpected crashes or segmentation faults during data pulls from rsync servers.

A practical approach is to run rsync commands against suspected servers and observe if the client crashes deterministically.

• Use a standard rsync pull command such as: rsync -av rsync://malicious-server/path/ /tmp/test
• Monitor system logs (e.g., dmesg, /var/log/syslog) for segmentation fault messages related to the rsync client.
• Use debugging tools like gdb to trace rsync client crashes if reproducible.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade rsync to version 3.4.3 or later, where the vulnerability has been fixed by adding a guard against the out-of-bounds access.

If immediate upgrade is not possible, a temporary workaround is to disable the inc_recurse protocol feature on the client side by using the --no-inc-recursive option in rsync commands.

Note that disabling inc_recurse may impact performance for large transfers.

• Upgrade rsync to version 3.4.3 or later.
• Use rsync with the --no-inc-recursive option to disable the vulnerable feature temporarily.
• Monitor rsync client behavior and logs for any crashes or anomalies.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not include any details on how the CVE-2026-43620 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0