CVE-2026-43618

NameCVE-2026-43618
DescriptionRsync versionĀ 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4591-1, DSA-6282-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rsync (PTS)bullseye3.2.3-4+deb11u1vulnerable
bullseye (security)3.2.3-4+deb11u4fixed
bookworm3.2.7-1+deb12u4vulnerable
bookworm (security)3.2.7-1+deb12u5fixed
trixie3.4.1+ds1-5+deb13u2vulnerable
trixie (security)3.4.1+ds1-5+deb13u3fixed
forky3.4.2+ds1-2vulnerable
sid3.4.3+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rsyncsourcebullseye3.2.3-4+deb11u4DLA-4591-1
rsyncsourcebookworm3.2.7-1+deb12u5DSA-6282-1
rsyncsourcetrixie3.4.1+ds1-5+deb13u3DSA-6282-1
rsyncsource(unstable)3.4.3+ds1-1

Notes

https://download.samba.org/pub/rsync/NEWS#3.4.3
https://www.openwall.com/lists/oss-security/2026/05/20/6
Search for package or bug name: Reporting problems