Home Embedded Vulns General Vulns

CVE-2026-43620

MEDIUM 6.5

Our Analysis: General Purpose

Our model has classified this vulnerability as relevant to General Purpose Systems, helping your team prioritize efforts effectively.

Published Date May 20, 2026
Last Modified May 20, 2026
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Description

Rsync versionĀ 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.

Potentially Affected Vendors