Vulnerability Description
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Samba | Rsync | <= 3.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/RsyncProject/rsync/releases/tag/v3.4.3Release Notes
- https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvmVendor Advisory
- https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-filThird Party Advisory
FAQ
What is CVE-2026-43620?
CVE-2026-43620 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attac...
How severe is CVE-2026-43620?
CVE-2026-43620 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-43620?
Check the references section above for vendor advisories and patch information. Affected products include: Samba Rsync.