Out-of-Bounds Array Read Vulnerability in Rsync by Rsync Project
CVE-2026-43620

6.9MEDIUM

Key Information:

Vendor

Rsyncproject

Status
Rsync
Vendor
CVE Published:
20 May 2026

What is CVE-2026-43620?

The Rsync software versions 3.4.2 and earlier contain a vulnerability in the recv_files() function within receiver.c. This flaw enables a malicious rsync server to exploit the vulnerability by crafting a specific file list. If certain compatibility flags such as CF_INC_RECURSE are set, an attacker can manipulate the file list to cause the rsync client to read beyond the allocated buffer, leading to a crash due to a SIGSEGV signal. This not only affects the stability of the rsync client but can also allow attackers to disrupt file synchronization processes by intentionally invoking this vulnerability.

Affected Version(s)

rsync 0 < 3.4.3

References

https://github.com/RsyncProject/rsync/security/advisories...
vendor-advisory
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
release-notes
https://www.vulncheck.com/advisories/rsync-out-of-bounds-...
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pratham Gupta (@prathamgupta36)
.