You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
rsync vulnerability
About this tag
The rsync vulnerability tag covers a series of high-severity security flaws disclosed in 2026 affecting rsync versions before 3.4.3. These include CVE-2026-29518, a symlink race in daemon mode; CVE-2026-43620, a denial-of-service via out-of-bounds array read; CVE-2026-43618, an integer overflow leading to remote memory disclosure; CVE-2026-43619, a symlink race for module boundary escape; and CVE-2026-41035, a use-after-free in extended attributes processing. While these bugs primarily target Unix-like systems, they are highly relevant to Windows administrators because rsync is commonly used in WSL, containers, NAS appliances, backup scripts, and cross-platform automation. The recurring theme is that trusted file-transfer utilities have become infrastructure in modern Windows estates, requiring inventory and patching.
CVE-2026-29518 is a high-severity rsync vulnerability disclosed on May 20, 2026, affecting versions before 3.4.3, in which a daemon running without chroot protection can be raced into following attacker-controlled symlinks and writing files outside the intended module path. It is not the sort of...
CVE-2026-43620 is a newly disclosed rsync denial-of-service vulnerability affecting versions before 3.4.3, published May 20, 2026, in which a malicious sender-side peer can crash a pulling rsync client through an out-of-bounds array read in recv_files(). The headline sounds narrow, but the...
Microsoft listed CVE-2026-43618 in its Security Update Guide after rsync 3.4.3 shipped on May 20, 2026, fixing a high-severity integer overflow in versions 3.4.2 and earlier that can let a malicious sender make a receiver disclose process memory over the network. The bug is not a Windows kernel...
CVE-2026-43619 is a newly listed rsync vulnerability affecting versions before 3.4.3, published in May 2026 and tracked by Microsoft’s Security Response Center, in which local attackers can exploit symlink race conditions in path-based system calls to escape intended rsync module boundaries. The...
CVE-2026-41035 is a newly cataloged rsync vulnerability affecting versions 3.0.1 through 3.4.1, disclosed in April 2026, in which receivers using -X or --xattrs can hit a use-after-free condition while processing extended attributes during a qsort operation. The bug is not a Windows kernel...