CVE-2026-43620

Name of the Vulnerable Software and Affected Versions rsync versions prior to 3.4.3

Description A receiver-side out-of-bounds array read exists in the recv files() function within receiver.c. A malicious rsync server can trigger a deterministic SIGSEGV crash of the rsync client process by setting CF INC RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM TRANSFER. This sequence causes the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address.

Recommendations Update to version 3.4.3 or later.