Rsync · Rsync · CVE-2026-43620
**Name of the Vulnerable Software and Affected Versions**
rsync versions prior to 3.4.3
**Description**
A receiver-side out-of-bounds array read exists in the `recv files()` function within `receiver.c`. A malicious rsync server can trigger a deterministic SIGSEGV crash of the rsync client process by setting `CF INC RECURSE` in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with `ndx=0` and an `iflag` word without `ITEM TRANSFER`. This sequence causes the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address.
**Recommendations**
Update to version 3.4.3 or later.