Description
Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.
Published: 2026-05-20
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the establish_proxy_connection() function of rsync, where an off‑by‑one out‑of‑bounds write occurs on the stack when parsing a proxy response line that is 1023 bytes or longer without a newline terminator. Triggering the write corrupts the stack and can cause crashes, memory corruption, or potentially code execution, depending on how the corrupted data is later used. The weakness is classified as CWE‑193, an off‑by‑one error that affects reliability and integrity of the process.

Affected Systems

RsyncProject’s rsync software is affected. All releases prior to version 3.4.3 are vulnerable. No specific sub‑versions are listed beyond the generic "< 3.4.3" directive.

Risk and Exploitability

The CVSS score of 2.1 denotes a low severity impact, and the EPSS score is not available, implying no known widespread exploitation at this time. The vulnerability is not listed in CISA KEV. An attacker must position themselves on the network path between an rsync client and its HTTP proxy or control the proxy to send a long response line; the environment variable RSYNC_PROXY must be set for the exploit to trigger. Given these prerequisites, the risk remains low but remediation is advisable.

Generated by OpenCVE AI on May 20, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rsync to version 3.4.3 or later
  • Configure any HTTP proxies in the path to enforce a maximum response line length of 1022 bytes and reject longer lines
  • Disable or remove the RSYNC_PROXY environment variable on systems where an HTTP proxy is not required

Generated by OpenCVE AI on May 20, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6282-1 rsync security update
Ubuntu USN Ubuntu USN USN-8283-1 rsync vulnerabilities
History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Rsync Project
Rsync Project rsync
Vendors & Products Rsync Project
Rsync Project rsync

Wed, 20 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.
Title Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Rsync Project Rsync
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T17:31:52.358Z

Reserved: 2026-05-11T14:14:49.612Z

Link: CVE-2026-45232

cve-icon Vulnrichment

Updated: 2026-05-20T17:30:48.307Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T02:16:36.887

Modified: 2026-05-20T13:58:07.923

Link: CVE-2026-45232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:43Z

Weaknesses