CVE-2024-12084

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions rsync versions prior to 3.4.0

Description Rsync contains multiple vulnerabilities, including a critical heap-buffer overflow that allows for remote code execution. The heap-based buffer overflow occurs due to improper handling of attacker-controlled checksum lengths (s2length) in the code. Specifically, when MAX DIGEST LEN exceeds the fixed SUM LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. Approximately 600,000 systems are potentially affected globally. The vulnerability allows an attacker with anonymous read access to a rsync server to execute arbitrary code on the server. The rsync daemon is affected.

Recommendations Upgrade to rsync version 3.4.0 or later.

Exploit

Fix

DoS

RCE

Buffer Overflow

Heap Based Buffer Overflow

Memory Corruption

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119CWE-122CWE-787CWE-390CWE-362CWE-35

Related Identifiers

ALT-PU-2025-1240

ALT-PU-2025-1320

ALT-PU-2025-1322

AZL-55646

AZL-55691

BDU:2025-00372

BDU:2025-00373

BDU:2025-00374

BDU:2025-00376

BDU:2025-00377

BDU:2025-00378

CVE-2024-12084

DSA-5843-1

DSA-5843-2

GHSA-P5PG-X43V-MVQJ

MGASA-2025-0019

OESA-2025-1061

OESA-2025-1064

OPENSUSE-SU-2025:14665-1

OPENSUSE-SU-2025_0118-1

OPENSUSE-SU-2025_0118-2

OPENSUSE-SU-2025_0156-1

SUSE-SU-2025:0156-1

SUSE-SU-2025:20122-1

SUSE-SU-2025:20223-1

SUSE-SU-2025_0118-1

SUSE-SU-2025_0118-2

SUSE-SU-2025_0156-1

SUSE-SU-2026:2038-1

SUSE-SU-2026:2048-1

SUSE-SU-2026:2083-1

SUSE-SU-2026:21726-1

USN-7206-1

USN-7206-2

USN-7206-3

USN-7206-4

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Os

Suse

Ubuntu

Rsync

CVE-2024-12084

Weakness Enumeration

Related Identifiers

Affected Products

References · 194