CVE-2026-45232 — Vulnetix

CVE-2026-45232 PUBLISHED CVSS 2.0999999046325684 LOW

Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.

EPSS 0.04% · 13.3th percentile

Risk Scores

CVSS v4.0

2.0999999046325684

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS Score

0.04%

13.3th percentile

Affected Products

Vendor	Product	Versions
RsyncProject	rsync	0

Timeline

May 20, 2026 EPSS Score
May 20, 2026 CVE Published
May 20, 2026 CVE Updated
May 20, 2026 PoC Published
May 20, 2026 PoC Published
May 21, 2026 EPSS Score
May 21, 2026 Security Advisory
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score
May 26, 2026 EPSS Score

References

https://github.com/RsyncProject/rsync/security/advisories/GHSA-8f85-j2cv-59m8 vendor-advisory
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 url
https://www.vulncheck.com/advisories/rsync-off-by-one-stack-write-via-http-proxy third-party-advisory

Open in Interactive Console →