{ "affected": [ { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:11", "name": "rsync" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.2.3-4+deb11u4" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:12", "name": "rsync" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.2.7-1+deb12u5" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:13", "name": "rsync" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.4.1+ds1-5+deb13u3" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "not yet assigned" }, "package": { "ecosystem": "Debian:14", "name": "rsync" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.4.3+ds1-1" } ], "type": "ECOSYSTEM" } ] } ], "details": "Rsync versionĀ 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.", "id": "DEBIAN-CVE-2026-43620", "modified": "2026-05-23T04:48:10.591354232Z", "published": "2026-05-20T02:16:36.727Z", "references": [ { "type": "ADVISORY", "url": "https://security-tracker.debian.org/tracker/CVE-2026-43620" } ], "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "upstream": [ "CVE-2026-43620" ] }