CVE-2026-43620
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk40th percentile - higher than 40% of all known CVEs
Summary
A vulnerability in rsync 3.4.2 and earlier allows a malicious server to intentionally trigger a SIGSEGV crash in the rsync client. The issue is in recv_files() in receiver.c, where an out-of-bounds array read leads to dereferencing an invalid pointer.
Risk Assessment
An attacker can remotely and deterministically crash the rsync client, disrupting data synchronization and potentially causing data unavailability. This vulnerability can be used for DoS attacks against systems using rsync.
Recommendation
Immediately update rsync to version 3.4.3 or later, which contains the fix. If updating is not possible, restrict trusted connections to verified rsync servers only.
Original NVD description (English source)
Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.

