CVE-2026-43618

Name of the Vulnerable Software and Affected Versions rsync versions prior to 3.4.3

Description An integer overflow exists in the compressed-token decoder due to a 32-bit signed counter that is not checked for overflow. A malicious sender can trigger this overflow, causing the receiver process to read and return data from outside the intended buffer bounds. This allows for the disclosure of process memory contents, such as environment variables, passwords, heap and stack data, and library memory pointers, which reduces the effectiveness of Address Space Layout Randomization (ASLR)—a security technique that randomly arranges the address space positions of key data areas—and facilitates further exploitation.

Recommendations Update to version 3.4.3 or later.