Rsync versionĀ 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recvfiles() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CFINCRECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEMTRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
{
"sources": [
{
"html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43620",
"database_specific": {
"status": "Analyzed"
},
"modified": "2026-06-17T10:49:55.420Z",
"published": "2026-05-20T02:16:36.727Z",
"imported": "2026-06-25T17:27:23.356Z",
"id": "CVE-2026-43620",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-43620"
},
{
"url": "https://api.github.com/advisories/GHSA-jmf6-74r8-6c28",
"html_url": "https://github.com/advisories/GHSA-jmf6-74r8-6c28",
"imported": "2026-06-25T17:27:26.144Z",
"published": "2026-05-20T03:31:33Z",
"id": "GHSA-jmf6-74r8-6c28",
"modified": "2026-05-20T03:31:41Z"
},
{
"modified": "2026-05-26T14:36:32Z",
"url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-31012",
"imported": "2026-06-25T17:27:24.663Z",
"published": "2026-05-20T00:47:57Z",
"id": "EUVD-2026-31012",
"html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-31012"
}
],
"license": "CC-BY-4.0"
}