CVE-2026-43618— Rsync < 3.4.3 Integer Overflow Information Disclosure
Possible ATT&CK Techniques 1AI
T1213 · Data from Information RepositoriesGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43618
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rsync < 3.4.3 Integer Overflow Information Disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
整数溢出或超界折返
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| RsyncProject | rsync | 0 ~ 3.4.3 | - |
II. Public POCs for CVE-2026-43618
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 9802 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-43618
请登录查看更多情报信息。
Same Patch Batch · RsyncProject · 2026-05-20 · 6 CVEs total
| CVE-2026-29518 | 7.0 HIGH | Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write |
| CVE-2026-43620 | 6.5 MEDIUM | Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files() |
| CVE-2026-43619 | 6.3 MEDIUM | Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls |
| CVE-2026-43617 | 4.8 MEDIUM | Rsync < 3.4.3 Authorization Bypass via Hostname Resolution |
| CVE-2026-45232 | 3.1 LOW | Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy |
IV. Related Vulnerabilities
Same product: rsync
- CVE-2026-29518
Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arb - CVE-2026-43617
Rsync < 3.4.3 Authorization Bypass via Hostname Resolution - CVE-2026-43619
Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls - CVE-2026-43620
Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files() - CVE-2026-45232
Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy
Same vendor: RsyncProject
- CVE-2026-29518
Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arb - CVE-2026-43617
Rsync < 3.4.3 Authorization Bypass via Hostname Resolution - CVE-2026-43619
Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls - CVE-2026-43620
Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files() - CVE-2026-45232
Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy
Same weakness: CWE-190
- CVE-2026-24214
NVIDIA Triton Inference Server DALI后端整数溢出漏洞 - CVE-2026-24210
NVIDIA Triton Inference Server 整数溢出致拒绝服务 - CVE-2026-33642
Kitty has a Heap Buffer Over-Read/Write via Integer Overflow - CVE-2026-27781
kernel_liteos_a has an integer overflow vulnerability - CVE-2026-32849
NetBSD Signed Integer Overflow in cryptodev_op via cryptodev
V. Comments for CVE-2026-43618
No comments yet