CVE-2026-43620

Published: May 20, 2026

Modified: May 26, 2026

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.

Vendor	Product	Versions
RsyncProject	rsync	affected `0 - < 3.4.3`

Weaknesses (CWE)

CWE-125

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvm

vendor-advisory

https://github.com/RsyncProject/rsync/releases/tag/v3.4.3

release-notes

https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-files

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-43620

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References