CVE-2026-45232
Off-by-One Stack Write in Rsync
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an off-by-one out-of-bounds stack write in the rsync client software, specifically in the establish_proxy_connection() function in socket.c. It occurs when the client reads the first response line from an HTTP proxy one byte at a time into a 1024-byte buffer. If the proxy sends a response line of 1023 or more bytes without a newline terminator, the code attempts to add a null byte beyond the buffer boundary, corrupting adjacent stack memory.
This can be exploited by an attacker who controls the proxy server or is positioned between the client and proxy (man-in-the-middle) to send a malformed HTTP proxy response. The vulnerability only affects clients using an HTTP CONNECT proxy via the RSYNC_PROXY environment variable.
How can this vulnerability impact me? :
The impact of this vulnerability is limited to client-side stack memory corruption of one byte. This can cause the rsync client to misbehave or crash.
There is no arbitrary code execution, information disclosure, or server-side exposure associated with this vulnerability. The severity is considered low.
Users who rely on rsync with an HTTP CONNECT proxy and the RSYNC_PROXY environment variable set should upgrade to version 3.4.3 or later to avoid this issue or avoid using untrusted proxies.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the rsync client uses an HTTP CONNECT proxy via the RSYNC_PROXY environment variable and the proxy returns a response line of 1023 or more bytes without a newline terminator, causing a stack corruption.
To detect this vulnerability on your system, you can check the rsync version to see if it is before 3.4.3, which is vulnerable.
- Run the command: rsync --version
To detect exploitation attempts on your network, monitor HTTP CONNECT proxy responses for unusually long first response lines (1023 bytes or more) without newline terminators.
Specific commands to detect malformed proxy responses are not provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade rsync to version 3.4.3 or later, which contains a patch that safely handles overly long proxy response lines.
Until you can upgrade, avoid using untrusted HTTP CONNECT proxies with rsync, especially when the RSYNC_PROXY environment variable is set.
If possible, disable the use of the RSYNC_PROXY environment variable or restrict proxy usage to trusted servers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in rsync before version 3.4.3 involves an off-by-one out-of-bounds stack write that can cause client-side memory corruption when using an HTTP CONNECT proxy. However, there is no indication from the provided information that this vulnerability leads to information disclosure, data breach, or unauthorized access to sensitive data.
Because the impact is limited to client-side stack corruption without arbitrary write capability or information disclosure, it is unlikely that this vulnerability directly affects compliance with data protection regulations such as GDPR or HIPAA.
Nevertheless, organizations relying on rsync in proxy environments should apply the patch or avoid untrusted proxies to maintain secure operations and reduce risk, which supports overall compliance efforts.