CVE-2026-43620: Out-of-bounds Read in RsyncProject rsync
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
AI Analysis
Technical Summary
Rsync versions up to 3.4.2 contain a receiver-side out-of-bounds array read vulnerability in the recv_files() function within receiver.c. The issue arises when the CF_INC_RECURSE compatibility flag is set and the server sends a file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word missing ITEM_TRANSFER. This causes the client to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped memory address, resulting in a deterministic crash (SIGSEGV) of the rsync client process. The vulnerability can be exploited remotely by a malicious rsync server without requiring privileges or user interaction beyond initiating the connection.
Potential Impact
Successful exploitation results in a denial of service by crashing the rsync client process. There is no indication of code execution or data corruption beyond the crash. The vulnerability affects client-side rsync versions 3.4.2 and earlier. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid connecting to untrusted or malicious rsync servers. Monitoring for updates from the RsyncProject is recommended to apply any forthcoming patches promptly.
CVE-2026-43620: Out-of-bounds Read in RsyncProject rsync
Description
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Rsync versions up to 3.4.2 contain a receiver-side out-of-bounds array read vulnerability in the recv_files() function within receiver.c. The issue arises when the CF_INC_RECURSE compatibility flag is set and the server sends a file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word missing ITEM_TRANSFER. This causes the client to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped memory address, resulting in a deterministic crash (SIGSEGV) of the rsync client process. The vulnerability can be exploited remotely by a malicious rsync server without requiring privileges or user interaction beyond initiating the connection.
Potential Impact
Successful exploitation results in a denial of service by crashing the rsync client process. There is no indication of code execution or data corruption beyond the crash. The vulnerability affects client-side rsync versions 3.4.2 and earlier. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid connecting to untrusted or malicious rsync servers. Monitoring for updates from the RsyncProject is recommended to apply any forthcoming patches promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-01T18:22:45.639Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d0f6cba1db473621796e4
Added to database: 5/20/2026, 1:33:32 AM
Last enriched: 5/20/2026, 1:48:46 AM
Last updated: 5/20/2026, 5:49:40 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.