Fluid Attacks Database

Description

Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	rsync	=3.2.7-1 \|\| =3.2.7-1+deb12u1 \|\| =3.2.7-1+deb12u2 \|\| =3.2.7-1+deb12u3 \|\| =3.2.7-1+deb12u4 \|\| =3.2.7-1+deb12u5 \|\| =3.3.0+ds1-1 \|\| =3.3.0+ds1-2 \|\| =3.3.0+ds1-3 \|\| =3.3.0+ds1-4 \|\| =3.3.0-1 \|\| =3.4.1+ds1-1 \|\| =3.4.1+ds1-2 \|\| =3.4.1+ds1-3 \|\| =3.4.1+ds1-4 \|\| =3.4.1+ds1-4~exp1 \|\| =3.4.1+ds1-4~exp2 \|\| =3.4.1+ds1-5 \|\| =3.4.1+ds1-5~exp1 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1 \|\| =3.4.2+ds1-1 \|\| =3.4.2+ds1-2 \|\| =3.4.3+ds1-1 \|\| =3.4.3+ds1-2	-
debian 14	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1 \|\| =3.4.2+ds1-1 \|\| =3.4.2+ds1-2 \|\| >=0 <3.4.3+ds1-1	3.4.3+ds1-1
debian 11	rsync	=3.2.3-4 \|\| =3.2.3-4+deb11u1 \|\| =3.2.3-4+deb11u2 \|\| =3.2.3-4+deb11u3 \|\| =3.2.3-4+deb11u4 \|\| =3.2.3-5 \|\| =3.2.3-6 \|\| =3.2.3-7 \|\| =3.2.3-8 \|\| =3.2.4-1 \|\| =3.2.4-1~bpo11+1 \|\| =3.2.5-1 \|\| =3.2.6-1 \|\| =3.2.6-2 \|\| =3.2.6-3 \|\| =3.2.6-4 \|\| =3.2.7-1 \|\| =3.2.7-1~bpo11+1 \|\| =3.3.0+ds1-1 \|\| =3.3.0+ds1-2 \|\| =3.3.0+ds1-3 \|\| =3.3.0+ds1-4 \|\| =3.3.0-1 \|\| =3.4.1+ds1-1 \|\| =3.4.1+ds1-2 \|\| =3.4.1+ds1-3 \|\| =3.4.1+ds1-4 \|\| =3.4.1+ds1-4~exp1 \|\| =3.4.1+ds1-4~exp2 \|\| =3.4.1+ds1-5 \|\| =3.4.1+ds1-5~exp1 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1 \|\| =3.4.2+ds1-1 \|\| =3.4.2+ds1-2 \|\| =3.4.3+ds1-1 \|\| =3.4.3+ds1-2	-
debian 13	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-5+deb13u1 \|\| =3.4.1+ds1-5+deb13u2 \|\| =3.4.1+ds1-5+deb13u3 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1 \|\| =3.4.2+ds1-1 \|\| =3.4.2+ds1-2 \|\| =3.4.3+ds1-1 \|\| =3.4.3+ds1-2	-
alpine v3.20	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.21	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.22	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.23	rsync	>=0 <3.4.3-r0	3.4.3-r0
rpm rhel8	rsync	-	-
rpm rhel9	rsync	-	-

1-10 of 13

Aliases

1. CVE-2026-452322. NVD-2026-452323. OSV-DEBIAN-2026-452324. OSV-2026-452325. OSV-ALPINE-2026-452326. SECURITY-TRACKER-CVE-2026-452327. SECURITY-CVE-2026-45232

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.