rsync vulnerability

CVE-2026-29518 is a high-severity rsync vulnerability disclosed on May 20, 2026, affecting versions before 3.4.3, in which a daemon running without chroot protection can be raced into following attacker-controlled symlinks and writing files outside the intended module path. It is not the sort of...

CVE-2026-43620 is a newly disclosed rsync denial-of-service vulnerability affecting versions before 3.4.3, published May 20, 2026, in which a malicious sender-side peer can crash a pulling rsync client through an out-of-bounds array read in recv_files(). The headline sounds narrow, but the...

Microsoft listed CVE-2026-43618 in its Security Update Guide after rsync 3.4.3 shipped on May 20, 2026, fixing a high-severity integer overflow in versions 3.4.2 and earlier that can let a malicious sender make a receiver disclose process memory over the network. The bug is not a Windows kernel...

CVE-2026-43619 is a newly listed rsync vulnerability affecting versions before 3.4.3, published in May 2026 and tracked by Microsoft’s Security Response Center, in which local attackers can exploit symlink race conditions in path-based system calls to escape intended rsync module boundaries. The...

CVE-2026-41035 is a newly cataloged rsync vulnerability affecting versions 3.0.1 through 3.4.1, disclosed in April 2026, in which receivers using -X or --xattrs can hit a use-after-free condition while processing extended attributes during a qsort operation. The bug is not a Windows kernel...