ZeroPath at Black Hat USA 2026

Rsync CVE-2026-43618: Brief Summary of Integer Overflow Leading to Remote Memory Disclosure

A short review of CVE-2026-43618, an integer overflow in rsync's compressed token decoder that allows a malicious sender to leak sensitive process memory from the receiver, including passwords, environment variables, and ASLR defeating memory pointers.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Rsync CVE-2026-43618: Brief Summary of Integer Overflow Leading to Remote Memory Disclosure
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An integer overflow in rsync's compressed token decoder allows a malicious sender to silently extract sensitive process memory from any rsync receiver running version 3.4.2 or earlier. The leaked data, which can include plaintext passwords, environment variables, and memory layout information sufficient to defeat ASLR, turns what looks like a routine file sync into a potent information disclosure channel.

Technical Information

The vulnerability resides in the compressed token decoder within the rsync receiver process. During normal operation, the decoder uses a 32 bit signed counter to accumulate values as it processes compressed data tokens from the sender. The root cause is the absence of an overflow check on this counter. Because the counter is a signed 32 bit integer, a carefully crafted sequence of compressed tokens from a malicious sender can cause the counter to wrap past its maximum value, resulting in an integer overflow (CWE-190).

Once the overflow occurs, the corrupted counter value is used to calculate buffer offsets for subsequent read operations. This causes the receiver to read data from memory locations outside the intended buffer boundaries, constituting an out of bounds read (CWE-125). The receiver then transmits this out of bounds data back to the sender as part of the normal rsync protocol exchange.

Attack Flow

The exploitation sequence proceeds as follows:

  1. The attacker establishes an rsync connection to a target receiver, acting as the sending side of the transfer.
  2. The attacker sends specially crafted compressed tokens designed to incrementally manipulate the 32 bit signed counter in the decoder without triggering any existing validation.
  3. At a calculated point, the counter overflows, causing the decoder to compute an out of bounds memory offset.
  4. The receiver process reads from the out of bounds location and returns the contents to the attacker over the network as part of the protocol response.
  5. The attacker collects the leaked memory, which may contain environment variables (often holding API keys and configuration secrets), plaintext passwords, heap and stack data reflecting application state, and library memory pointers.

Impact Breakdown

Data Type ExposedSecurity Implication
Environment VariablesMay contain API keys, configuration secrets, and internal network details.
PasswordsDirect credential theft leading to unauthorized access.
Heap and Stack DataExposure of application state and sensitive user data processed by the daemon.
Library Memory PointersBypasses ASLR protections to enable secondary code execution attacks.

The disclosure of library memory pointers is particularly consequential because it directly undermines Address Space Layout Randomization. With knowledge of where shared libraries are mapped in the receiver's address space, an attacker can construct reliable exploits for secondary vulnerabilities that would otherwise be mitigated by ASLR.

Severity Scoring

From a network perspective, exploitation requires no user interaction and only low privileges. The attack vector is network based with low complexity.

SourceFrameworkScoreKey Metrics
GitHub Security AdvisoryCVSS 3.18.1 (High)Network Vector, Low Complexity, High Confidentiality, High Availability
VulnCheckCVSS 4.06.1 (Medium)Network Vector, Low Complexity, High Vulnerable System Confidentiality

The scoring difference reflects how the two CVSS frameworks weight confidentiality and availability impacts differently. Organizations relying on automated score based patching thresholds should be aware of this discrepancy.

Affected Systems and Versions

All rsync versions up to and including 3.4.2 are affected. The vulnerability is resolved in version 3.4.3.

Specifically, any rsync deployment where the receiver accepts connections from untrusted senders and uses compression is vulnerable. This includes rsync daemons exposed to the network that have not explicitly disabled compression via configuration.

For environments where immediate patching is not feasible, compression can be disabled on rsync daemons by adding the following to rsyncd.conf:

refuse options = compress

This prevents the daemon from engaging the vulnerable compressed token decoder.

Vendor Security History

This vulnerability arrives alongside other recent rsync security issues. CVE-2026-41035 is a use after free vulnerability affecting rsync versions 3.0.1 through 3.4.1. The presence of multiple memory safety issues in recent releases highlights the ongoing challenges of maintaining a C codebase that handles complex protocol parsing and compression.

The rsync project, maintained by Wayne Davison and hosted under the RsyncProject organization on GitHub, responded promptly by releasing version 3.4.3 with the combined security fixes. The discovery of CVE-2026-43618 was credited to security researcher Omar Elsayed.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization