CVE-2026-43618 is an integer overflow vulnerability in rsync version 3.4.2 and prior, specifically in the compressed-token decoder component. The vulnerability arises because a 32-bit signed counter is not properly checked for overflow, enabling a malicious sender to trigger an overflow condition. This overflow causes the receiver process to read and return data from outside the intended buffer bounds, potentially leaking sensitive memory contents including environment variables, passwords, heap and stack data, and pointers to libraries. This memory disclosure reduces the effectiveness of Address Space Layout Randomization (ASLR), which can facilitate further exploitation. The vulnerability is remotely exploitable over the network with low attack complexity but requires partial user privileges on the receiver side. The CVSS 4.0 vector indicates network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality and availability. No official remediation or patch has been confirmed yet.

Successful exploitation of this vulnerability can disclose sensitive process memory contents such as environment variables, passwords, heap and stack data, and library memory pointers. This disclosure significantly reduces the effectiveness of ASLR, increasing the risk of further exploitation. The vulnerability does not directly allow code execution but can facilitate subsequent attacks by leaking critical memory information. There are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider limiting exposure of rsync services to untrusted networks and monitor for unusual activity. No vendor-provided temporary or official fixes are currently documented.