CVE-2026-45232 Overview
CVE-2026-45232 is an off-by-one out-of-bounds stack write vulnerability in rsync versions prior to 3.4.3. The flaw resides in the establish_proxy_connection() function within socket.c. A network attacker positioned between the rsync client and the HTTP proxy, or one controlling the proxy server itself, can corrupt stack memory. Exploitation requires the RSYNC_PROXY environment variable to be set on the client and a malformed proxy response line of 1023 or more bytes without a newline terminator. The condition causes a single null byte to be written to an out-of-bounds stack address. The issue is tracked under [CWE-193] (Off-by-one Error).
Critical Impact
A malicious or man-in-the-middle HTTP proxy can write a null byte beyond the bounds of a stack buffer in rsync clients configured to use RSYNC_PROXY, potentially destabilizing the process.
Affected Products
- Rsync versions before 3.4.3
- Rsync clients with the RSYNC_PROXY environment variable configured
- Downstream Linux distributions packaging vulnerable rsync builds
Discovery Timeline
- 2026-05-20 - CVE-2026-45232 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-45232
Vulnerability Analysis
The vulnerability sits in the proxy handshake path that rsync uses when tunneling its protocol through an HTTP CONNECT proxy. When RSYNC_PROXY is set, the client invokes establish_proxy_connection() in socket.c to read the proxy's status line. The reading logic accepts up to 1023 bytes before appending a null terminator. When the proxy returns a response line of exactly 1023 or more bytes without a newline, the terminator write lands one byte past the end of the stack buffer. The result is a single-byte stack corruption controlled in position but not in value, since only a null is written. See [CWE-193] for the underlying weakness class.
Root Cause
The root cause is an incorrect boundary calculation in the loop that reads bytes from the proxy socket. The code reserves space for a terminator but does not account for the case where the maximum read length is reached without encountering a newline. When the buffer fills completely, the trailing null byte is placed at index len, one position beyond the allocated stack region.
Attack Vector
Exploitation requires a network-adjacent attacker who can intercept rsync's proxy traffic or operate a hostile proxy that the victim is configured to use. The victim must have RSYNC_PROXY set, and the attacker must respond to the CONNECT request with a status line of at least 1023 bytes containing no newline. User interaction is required to initiate the rsync session, which keeps practical impact narrow. The CVSS 4.0 base score is 2.1, reflecting the limited availability impact and the constrained preconditions. The EPSS score stands at 0.031% with a percentile of 9.11, indicating low exploitation probability.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-8f85-j2cv-59m8 and the VulnCheck Advisory on rsync Vulnerability for technical details.
Detection Methods for CVE-2026-45232
Indicators of Compromise
- Rsync client processes terminating unexpectedly during the proxy handshake phase
- HTTP CONNECT proxy responses containing status lines of 1023 or more bytes without a newline terminator
- Outbound rsync connections traversing unexpected or untrusted HTTP proxies defined via RSYNC_PROXY
Detection Strategies
- Inventory hosts where the RSYNC_PROXY environment variable is set in user profiles, systemd units, or CI runners
- Inspect proxy server logs for abnormally long response lines emitted toward rsync user agents
- Correlate rsync process crashes with preceding network traffic to HTTP proxies using endpoint telemetry
Monitoring Recommendations
- Monitor versions of the rsync binary across managed Linux fleets and flag installations below 3.4.3
- Alert on rsync invocations that resolve proxies outside an approved allowlist
- Capture and review TLS-inspected or plaintext proxy responses during rsync sessions for malformed status lines
How to Mitigate CVE-2026-45232
Immediate Actions Required
- Upgrade rsync to version 3.4.3 or later on all clients, build agents, and backup hosts
- Audit environments for the presence of RSYNC_PROXY and remove it where proxying is not strictly required
- Restrict rsync clients to trusted proxy endpoints under organizational control
Patch Information
The upstream fix is available in the GitHub Release v3.4.3. The patch corrects the boundary check in establish_proxy_connection() within socket.c so the terminating null byte is written within the allocated stack buffer. Distribution maintainers should pull the upstream patch into supported package branches. Consult the GitHub Security Advisory GHSA-8f85-j2cv-59m8 for the authoritative remediation guidance.
Workarounds
- Unset the RSYNC_PROXY environment variable on systems that do not require proxy tunneling
- Route rsync traffic over SSH transport instead of HTTP CONNECT proxies
- Enforce network egress controls so rsync clients can only reach vetted, authenticated proxy servers
# Configuration example: remove RSYNC_PROXY and verify rsync version
unset RSYNC_PROXY
sed -i '/RSYNC_PROXY/d' /etc/environment ~/.bashrc ~/.profile 2>/dev/null
rsync --version | head -n 1
# Expected output should show: rsync version 3.4.3 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
