Fluid Attacks Database

Description

Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1 \|\| =3.4.2+ds1-1 \|\| =3.4.2+ds1-2 \|\| >=0 <3.4.3+ds1-1	3.4.3+ds1-1
debian 11	rsync	=3.2.3-4 \|\| =3.2.3-4+deb11u1 \|\| =3.2.3-4+deb11u2 \|\| =3.2.3-4+deb11u3 \|\| >=0 <3.2.3-4+deb11u4	3.2.3-4+deb11u4
debian 12	rsync	=3.2.7-1 \|\| =3.2.7-1+deb12u1 \|\| =3.2.7-1+deb12u2 \|\| =3.2.7-1+deb12u3 \|\| =3.2.7-1+deb12u4 \|\| >=0 <3.2.7-1+deb12u5	3.2.7-1+deb12u5
debian 13	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-5+deb13u1 \|\| =3.4.1+ds1-5+deb13u2 \|\| >=0 <3.4.1+ds1-5+deb13u3	3.4.1+ds1-5+deb13u3
alpine v3.20	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.21	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.22	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.23	rsync	>=0 <3.4.3-r0	3.4.3-r0
rpm rhel10	rsync	-	-
rpm rhel6	rsync	-	-

1-10 of 13

Aliases

1. CVE-2026-436202. NVD-2026-436203. OSV-DEBIAN-2026-436204. OSV-2026-436205. OSV-ALPINE-2026-436206. SECURITY-TRACKER-CVE-2026-436207. SECURITY-CVE-2026-43620

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.