CVE-2026-43620 Overview
CVE-2026-43620 is an out-of-bounds read vulnerability [CWE-125] in the recv_files() function in receiver.c of Rsync version 3.4.2 and earlier. A malicious rsync server can crash a connecting rsync client by sending a specially crafted file list and transfer record. The receiver reads 8 bytes before an allocated pointer array and dereferences an invalid pointer, producing a deterministic SIGSEGV. The flaw affects availability on the client side only and does not expose data or allow code execution. The Rsync Project addressed the issue in version 3.4.3.
Critical Impact
A malicious rsync server can reliably crash any Rsync client at or below version 3.4.2, disrupting backup, mirroring, and synchronization workflows that depend on rsync.
Affected Products
- Rsync 3.4.2 and earlier versions
- rsync client process when connecting to an attacker-controlled server
- Systems and pipelines using vulnerable rsync clients for synchronization or backup
Discovery Timeline
- 2026-05-20 - CVE-2026-43620 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-43620
Vulnerability Analysis
The vulnerability resides in the receiver-side handler recv_files() in receiver.c, which processes the file list and per-file transfer records sent by the rsync server. When the server sets the CF_INC_RECURSE bit in the compatibility flags, the receiver expects the sorted file list to begin with the leading dot directory entry. A malicious server can violate this assumption and send a transfer record whose index ndx=0 references a position before the start of the allocated pointer array. The receiver then performs an out-of-bounds read of 8 bytes preceding the array and dereferences the resulting invalid pointer at an unmapped virtual address. The result is a deterministic segmentation fault that terminates the client process.
Root Cause
The receiver does not validate that the first sorted entry in the file list is the leading dot directory before indexing into the pointer array using values supplied by the peer. Combined with insufficient checks on the iflag word, which lacks ITEM_TRANSFER in the crafted record, the code path computes a pointer location below the allocated buffer and dereferences it without bounds enforcement.
Attack Vector
Exploitation requires a victim to initiate an rsync session against an attacker-controlled or compromised rsync server. The attack is network-reachable and requires no authentication, but it does require user action to start the transfer. The impact is restricted to denial of service against the client process. See the GitHub Security Advisory GHSA-28pw-r563-rxvm and the VulnCheck Advisory: Rsync Out-of-Bounds Read for protocol-level details.
// No verified exploit code is published. The crash is triggered by a malicious
// server sending: CF_INC_RECURSE flag set, a file list whose first sorted entry
// is not the leading dot directory, and a transfer record with ndx=0 and an
// iflag word that does not include ITEM_TRANSFER.
Detection Methods for CVE-2026-43620
Indicators of Compromise
- Repeated SIGSEGV terminations of rsync client processes during file transfers from external or untrusted servers
- Core dumps from rsync referencing recv_files() in receiver.c on the call stack
- Failed backup or synchronization jobs that consistently crash when connecting to a specific remote rsync endpoint
Detection Strategies
- Inventory hosts running rsync versions at or below 3.4.2 using package managers and software bill of materials data
- Alert on rsync process exits with signal 11 in host logs, auditd, or journalctl output
- Inspect outbound rsync sessions to untrusted networks and flag servers that consistently cause client crashes
Monitoring Recommendations
- Forward rsync exit codes and crash telemetry into a centralized logging or SIEM pipeline for correlation across hosts
- Track changes to rsync endpoints used in scheduled jobs, including DNS resolution and TLS-wrapped tunnels
- Monitor for backup job failure spikes that align with new or modified remote rsync destinations
How to Mitigate CVE-2026-43620
Immediate Actions Required
- Upgrade all rsync clients to version 3.4.3 or later as published in the GitHub Release v3.4.3
- Restrict outbound rsync connections to known, trusted servers using firewall egress rules
- Audit scheduled backup and mirror jobs to confirm the remote endpoint is operated by a trusted party
Patch Information
The Rsync Project fixed CVE-2026-43620 in rsync 3.4.3. The release notes and source are available in the GitHub Release v3.4.3 and the fix is documented in the GitHub Security Advisory GHSA-28pw-r563-rxvm. Linux distribution maintainers are expected to backport the fix to supported branches.
Workarounds
- Avoid connecting rsync clients to untrusted or attacker-controlled rsync servers until patched binaries are deployed
- Use SSH-tunneled rsync with strict host key verification to reduce exposure to rogue endpoints
- Run rsync jobs under a supervisor that restarts failed transfers and alerts on repeated SIGSEGV exits
# Verify the installed rsync client version
rsync --version | head -n 1
# Example Debian or Ubuntu upgrade once the distribution publishes a patched package
sudo apt-get update && sudo apt-get install --only-upgrade rsync
# Example Red Hat or Fedora upgrade
sudo dnf upgrade rsync
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
