Integer Overflow Vulnerability in Rsync from Rsync Project
CVE-2026-43618

6.1MEDIUM

Key Information:

Vendor

Rsyncproject

Status
Rsync
Vendor
CVE Published:
20 May 2026

What is CVE-2026-43618?

An integer overflow vulnerability exists in Rsync versions 3.4.2 and earlier, specifically within the compressed-token decoder. The flaw arises from a 32-bit signed counter that fails to check for overflow conditions. This oversight allows an attacker to manipulate the data sent to the receiver, potentially causing an overflow that can lead to the disclosure of sensitive process memory information. Such data may include environment variables, passwords, as well as stack and heap information, ultimately undermining Address Space Layout Randomization (ASLR) effectiveness and opening avenues for further exploitation.

Affected Version(s)

rsync 0 < 3.4.3

References

https://github.com/RsyncProject/rsync/security/advisories...
vendor-advisory
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
release-notes
https://www.vulncheck.com/advisories/rsync-integer-overfl...
third-party-advisory

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Omar Elsayed (@seks99x)
.