CVE-2026-43618
- Source
- https://cve.org/CVERecord?id=CVE-2026-43618
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43618.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-43618
- Aliases
-
- GHSA-g37v-g3gj-pmwq
- Downstream
- Related
- Published
- 2026-05-20T00:50:21.416Z
- Modified
- 2026-05-28T08:29:16.904024540Z
- Severity
-
- 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Rsync < 3.4.3 Integer Overflow Information Disclosure
- Details
-
Rsync versionĀ 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43618.json", "cwe_ids": [ "CWE-125", "CWE-190" ], "cna_assigner": "VulnCheck" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43618.json
- https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
- https://github.com/RsyncProject/rsync/security/advisories/GHSA-g37v-g3gj-pmwq
- https://nvd.nist.gov/vuln/detail/CVE-2026-43618
- https://www.vulncheck.com/advisories/rsync-integer-overflow-information-disclosure
- https://github.com/RsyncProject/rsync
Affected packages
Git / git.samba.org/rsync.git/
Affected ranges
- Type
- GIT
- Repo
- https://git.samba.org/rsync.git/
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedde3cc03b03be153092f266aa1117b4706947ed07
- Database specific
{ "cpe": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "0" }, { "last_affected": "3.4.2" } ], "source": "CPE_RANGE" }
Affected versions
Other
mbp_bk_export0
v1.*
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7pre2
v2.4.7pre4
v2.5.0
v2.5.1
v2.5.1pre1
v2.5.1pre2
v2.5.1pre3
v2.5.2
v2.5.2pre1
v2.5.2pre2
v2.5.2pre3
v2.5.3
v2.5.3pre1
v2.5.4
v2.5.4pre1
v2.5.5
v2.5.5.rc1
v2.5.6
v2.6.0
v2.6.0pre1
v2.6.0pre2
v2.6.1
v2.6.1pre1
v2.6.1pre2
v2.6.2
v2.6.2pre1
v2.6.3
v2.6.3pre1
v2.6.3pre2
v2.6.4
v2.6.4pre1
v2.6.4pre2
v2.6.4pre3
v2.6.4pre4
v2.6.5
v2.6.5pre1
v2.6.5pre2
v2.6.6pre1
v2.6.7
v2.6.7pre1
v2.6.7pre2
v2.6.7pre3
v2.6.8
v2.6.8pre1
v2.6.9
v2.6.9pre1
v2.6.9pre2
v2.6.9pre3
v3.*
v3.0.0
v3.0.0pre1
v3.0.0pre10
v3.0.0pre2
v3.0.0pre3
v3.0.0pre4
v3.0.0pre5
v3.0.0pre6
v3.0.0pre7
v3.0.0pre8
v3.0.0pre9
v3.0.1
v3.0.1pre1
v3.0.1pre2
v3.0.1pre3
v3.0.2
v3.0.3
v3.0.3pre1
v3.0.3pre2
v3.0.3pre3
v3.1.0
v3.1.0pre1
v3.1.1
v3.1.1pre1
v3.1.1pre2
v3.1.2
v3.1.2pre1
v3.1.3
v3.1.3pre1
v3.2.0
v3.2.0pre1
v3.2.0pre2
v3.2.0pre3
v3.2.1
v3.2.1pre1
v3.2.2
v3.2.2pre1
v3.2.2pre2
v3.2.2pre3
v3.2.3
v3.2.3pre1
v3.2.4
v3.2.4pre1
v3.2.4pre2
v3.2.4pre3
v3.2.4pre4
v3.2.5
v3.2.5pre1
v3.2.5pre2
v3.2.6
v3.2.7
v3.2.7pre1
v3.3.0
v3.3.0pre1
v3.4.0
v3.4.1
v3.4.2
Git / github.com/rsyncproject/rsync
Affected versions
Other
mbp_bk_export0
v1.*
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7pre2
v2.4.7pre4
v2.5.0
v2.5.1
v2.5.1pre1
v2.5.1pre2
v2.5.1pre3
v2.5.2
v2.5.2pre1
v2.5.2pre2
v2.5.2pre3
v2.5.3
v2.5.3pre1
v2.5.4
v2.5.4pre1
v2.5.5
v2.5.5.rc1
v2.5.6
v2.6.0
v2.6.0pre1
v2.6.0pre2
v2.6.1
v2.6.1pre1
v2.6.1pre2
v2.6.2
v2.6.2pre1
v2.6.3
v2.6.3pre1
v2.6.3pre2
v2.6.4
v2.6.4pre1
v2.6.4pre2
v2.6.4pre3
v2.6.4pre4
v2.6.5
v2.6.5pre1
v2.6.5pre2
v2.6.6pre1
v2.6.7
v2.6.7pre1
v2.6.7pre2
v2.6.7pre3
v2.6.8
v2.6.8pre1
v2.6.9
v2.6.9pre1
v2.6.9pre2
v2.6.9pre3
v3.*
v3.0.0
v3.0.0pre1
v3.0.0pre10
v3.0.0pre2
v3.0.0pre3
v3.0.0pre4
v3.0.0pre5
v3.0.0pre6
v3.0.0pre7
v3.0.0pre8
v3.0.0pre9
v3.0.1
v3.0.1pre1
v3.0.1pre2
v3.0.1pre3
v3.0.2
v3.0.3
v3.0.3pre1
v3.0.3pre2
v3.0.3pre3
v3.1.0
v3.1.0pre1
v3.1.1
v3.1.1pre1
v3.1.1pre2
v3.1.2
v3.1.2pre1
v3.1.3
v3.1.3pre1
v3.2.0
v3.2.0pre1
v3.2.0pre2
v3.2.0pre3
v3.2.1
v3.2.1pre1
v3.2.2
v3.2.2pre1
v3.2.2pre2
v3.2.2pre3
v3.2.3
v3.2.3pre1
v3.2.4
v3.2.4pre1
v3.2.4pre2
v3.2.4pre3
v3.2.4pre4
v3.2.5
v3.2.5pre1
v3.2.5pre2
v3.2.6
v3.2.7
v3.2.7pre1
v3.3.0
v3.3.0pre1
v3.4.0
v3.4.1
v3.4.2