DEBIAN-CVE-2026-45232

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-45232
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-45232.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-45232
Upstream
Published
2026-05-20T02:16:36.887Z
Modified
2026-06-15T19:06:16.703470532Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establishproxyconnection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set.

References

Affected packages

Debian:11 / rsync

Package

Name
rsync
Purl
pkg:deb/debian/rsync?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.2.3-4
3.2.3-4+deb11u1
3.2.3-4+deb11u2
3.2.3-4+deb11u3
3.2.3-4+deb11u4
3.2.3-5
3.2.3-6
3.2.3-7
3.2.3-8
3.2.4-1~bpo11+1
3.2.4-1
3.2.5-1
3.2.6-1
3.2.6-2
3.2.6-3
3.2.6-4
3.2.7-1~bpo11+1
3.2.7-1
3.3.0-1
3.3.0+ds1-1
3.3.0+ds1-2
3.3.0+ds1-3
3.3.0+ds1-4
3.4.1+ds1-1
3.4.1+ds1-2
3.4.1+ds1-3
3.4.1+ds1-4~exp1
3.4.1+ds1-4~exp2
3.4.1+ds1-4
3.4.1+ds1-5~exp1
3.4.1+ds1-5
3.4.1+ds1-6
3.4.1+ds1-7
3.4.1+ds1-8~exp1
3.4.2+ds1-1
3.4.2+ds1-2
3.4.3+ds1-1
3.4.3+ds1-2
3.4.4+ds1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-45232.json"

Debian:12 / rsync

Package

Name
rsync
Purl
pkg:deb/debian/rsync?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.2.7-1
3.2.7-1+deb12u1
3.2.7-1+deb12u2
3.2.7-1+deb12u3
3.2.7-1+deb12u4
3.2.7-1+deb12u5
3.2.7-1+deb12u6
3.3.0-1
3.3.0+ds1-1
3.3.0+ds1-2
3.3.0+ds1-3
3.3.0+ds1-4
3.4.1+ds1-1
3.4.1+ds1-2
3.4.1+ds1-3
3.4.1+ds1-4~exp1
3.4.1+ds1-4~exp2
3.4.1+ds1-4
3.4.1+ds1-5~exp1
3.4.1+ds1-5
3.4.1+ds1-6
3.4.1+ds1-7
3.4.1+ds1-8~exp1
3.4.2+ds1-1
3.4.2+ds1-2
3.4.3+ds1-1
3.4.3+ds1-2
3.4.4+ds1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-45232.json"

Debian:13 / rsync

Package

Name
rsync
Purl
pkg:deb/debian/rsync?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.4.1+ds1-5
3.4.1+ds1-5+deb13u1
3.4.1+ds1-5+deb13u2
3.4.1+ds1-5+deb13u3
3.4.1+ds1-5+deb13u4
3.4.1+ds1-6
3.4.1+ds1-7
3.4.1+ds1-8~exp1
3.4.2+ds1-1
3.4.2+ds1-2
3.4.3+ds1-1
3.4.3+ds1-2
3.4.4+ds1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-45232.json"

Debian:14 / rsync

Package

Name
rsync
Purl
pkg:deb/debian/rsync?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.3+ds1-1

Affected versions

3.*
3.4.1+ds1-5
3.4.1+ds1-6
3.4.1+ds1-7
3.4.1+ds1-8~exp1
3.4.2+ds1-1
3.4.2+ds1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-45232.json"