Description
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
Published: 2026-05-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds array read in the recv_files() function of rsync receivers. By manipulating the CF_INC_RECURSE compatibility flag and supplying a crafted file list that begins with a non‑dot directory, an attacker can cause the receiver to read 8 bytes before the allocated pointer array, dereference an invalid pointer, and trigger a deterministic segmentation fault. This results in a client crash and denial of service.

Affected Systems

Affecting installations of RsyncProject’s rsync 3.4.2 or earlier, any system that runs these versions and accepts synchronizations from untrusted sources may be impacted. The fix is available in rsync 3.4.3 and later releases.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate impact limited to service disruption. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a malicious rsync server that can set the CF_INC_RECURSE flag and send a specially crafted file list. Because the flaw is client‑side, only connections using the rsync protocol are relevant, and it does not provide code execution or data exfiltration.

Generated by OpenCVE AI on May 20, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to rsync 3.4.3 or later.
  • If an immediate upgrade is not possible, configure rsync to disallow the CF_INC_RECURSE flag or use the --no-inc-recursive option when connecting to external servers.
  • Restrict rsync client access to trusted servers and consider routing rsync traffic through SSH to reduce exposure.

Generated by OpenCVE AI on May 20, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4591-1 rsync security update
Debian DSA Debian DSA DSA-6282-1 rsync security update
Ubuntu USN Ubuntu USN USN-8283-1 rsync vulnerabilities
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Rsync Project
Rsync Project rsync
Vendors & Products Rsync Project
Rsync Project rsync

Wed, 20 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
Title Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files()
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rsync Project Rsync
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T14:11:50.942Z

Reserved: 2026-05-01T18:22:45.639Z

Link: CVE-2026-43620

cve-icon Vulnrichment

Updated: 2026-05-20T14:11:47.395Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T02:16:36.727

Modified: 2026-05-20T13:58:07.923

Link: CVE-2026-43620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:41Z

Weaknesses