VDB
CVE-2026-43620
CVE-2026-43620
PUBLISHED
CVSS 6.900000095367432 MEDIUM
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
EPSS 0.02% · 4.2th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.02%
4.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| RsyncProject | rsync | 0 |
Timeline
- May 20, 2026 EPSS Score
- May 20, 2026 CVE Published
- May 20, 2026 PoC Published
- May 20, 2026 PoC Published
- May 20, 2026 Security Advisory
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
- May 27, 2026 EPSS Score
References
- https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvm vendor-advisory
- https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 url
- https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-files third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-43620 advisory