CVE-2026-43618 Overview
CVE-2026-43618 is an integer overflow vulnerability in Rsync version 3.4.2 and prior that leads to an out-of-bounds read [CWE-125]. The flaw resides in the compressed-token decoder, where a 32-bit signed counter is not checked for overflow. A malicious sender can trigger the overflow and cause the receiver process to read and return data from outside the intended buffer bounds. Exploitation enables disclosure of process memory contents including environment variables, passwords, heap and stack data, and library memory pointers. The leak significantly reduces Address Space Layout Randomization (ASLR) effectiveness and facilitates further exploitation.
Critical Impact
A network-positioned attacker controlling an Rsync sender can leak sensitive memory from the receiver process, exposing credentials and weakening ASLR protections that defend against memory corruption exploits.
Affected Products
- Rsync 3.4.2 and all prior versions
- Systems using affected Rsync builds for file synchronization
- Rsync receiver processes accepting compressed transfers from untrusted senders
Discovery Timeline
- 2026-05-20 - CVE-2026-43618 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-43618
Vulnerability Analysis
The vulnerability resides in Rsync's compressed-token decoder, a component responsible for reconstructing data blocks during delta-transfer operations. The decoder uses a 32-bit signed integer counter to track token lengths but does not validate the counter against overflow conditions. When a sender supplies crafted token metadata, the counter wraps to a negative or unexpectedly large value. The receiver subsequently dereferences memory addresses computed from the corrupted counter, performing reads outside the intended buffer.
The data read from out-of-bounds locations is returned through the protocol to the sender. This converts a parsing bug into an information disclosure primitive that operates across the rsync transport. The vulnerability is classified under [CWE-125] Out-of-bounds Read.
Root Cause
The root cause is missing arithmetic validation on a signed 32-bit length counter inside the compressed-token decoder. Rsync trusts attacker-influenced length fields without bounds enforcement, allowing wraparound. Once the counter overflows, downstream pointer arithmetic produces addresses outside the legitimate buffer, and the receiver reads memory it should not access.
Attack Vector
Exploitation requires a malicious sender communicating with a vulnerable receiver over an Rsync session. The attacker crafts compressed token streams that drive the decoder counter past its signed 32-bit limit. The receiver responds by transmitting fragments of its own process memory back to the sender. Attackers can extract environment variables, in-memory credentials, heap and stack contents, and library base addresses suitable for bypassing ASLR. Technical details are available in the GitHub Security Advisory GHSA-g37v-g3gj-pmwq and the VulnCheck Advisory on Rsync.
Detection Methods for CVE-2026-43618
Indicators of Compromise
- Unexpected Rsync connections from untrusted hosts to receiver instances running version 3.4.2 or earlier
- Anomalously large or malformed compressed-token sequences observed in Rsync protocol traffic
- Rsync receiver processes exhibiting elevated memory read patterns or crashes during compressed transfers
Detection Strategies
- Inventory all hosts running rsync and identify versions at or below 3.4.2 using package manager queries such as rsync --version
- Inspect network flows for Rsync sessions originating from unauthorized peers, particularly on TCP port 873 or over SSH tunnels
- Correlate Rsync daemon logs with authentication telemetry to identify sessions from unexpected source addresses
Monitoring Recommendations
- Enable verbose logging on Rsync daemons and forward logs to a centralized analytics platform for retention and review
- Monitor outbound data volumes from Rsync receivers for unexpected egress that could indicate memory leakage back to a sender
- Alert on Rsync process anomalies including segmentation faults or repeated short-lived sessions from a single source
How to Mitigate CVE-2026-43618
Immediate Actions Required
- Upgrade Rsync to version 3.4.3 or later on all senders and receivers as published in the GitHub Release v3.4.3
- Restrict Rsync daemon exposure by binding services to trusted network segments and enforcing host-based firewall rules
- Require authentication for all Rsync sessions and disable anonymous module access where feasible
Patch Information
The Rsync project addressed the integer overflow in version 3.4.3. Administrators should pull the patched release from the GitHub Release v3.4.3 page or apply updated distribution packages once vendors publish backports. Review the GitHub Security Advisory GHSA-g37v-g3gj-pmwq for fix details.
Workarounds
- Disable compressed transfers by avoiding the -z / --compress option in Rsync invocations until patching is complete
- Limit Rsync receivers to connections from authenticated, trusted senders using SSH key restrictions or hosts allow directives in rsyncd.conf
- Run Rsync receiver processes under unprivileged service accounts to reduce the value of any memory disclosed through exploitation
# Configuration example
# /etc/rsyncd.conf - restrict access and disable anonymous use
uid = rsyncuser
gid = rsyncuser
use chroot = yes
max connections = 4
hosts allow = 10.0.0.0/24
hosts deny = *
auth users = backupuser
secrets file = /etc/rsyncd.secrets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
