Introduction
An integer overflow in rsync's compressed token decoder allows a malicious sender to silently extract sensitive process memory from any rsync receiver running version 3.4.2 or earlier. The leaked data, which can include plaintext passwords, environment variables, and memory layout information sufficient to defeat ASLR, turns what looks like a routine file sync into a potent information disclosure channel.
Technical Information
The vulnerability resides in the compressed token decoder within the rsync receiver process. During normal operation, the decoder uses a 32 bit signed counter to accumulate values as it processes compressed data tokens from the sender. The root cause is the absence of an overflow check on this counter. Because the counter is a signed 32 bit integer, a carefully crafted sequence of compressed tokens from a malicious sender can cause the counter to wrap past its maximum value, resulting in an integer overflow (CWE-190).
Once the overflow occurs, the corrupted counter value is used to calculate buffer offsets for subsequent read operations. This causes the receiver to read data from memory locations outside the intended buffer boundaries, constituting an out of bounds read (CWE-125). The receiver then transmits this out of bounds data back to the sender as part of the normal rsync protocol exchange.
Attack Flow
The exploitation sequence proceeds as follows:
- The attacker establishes an rsync connection to a target receiver, acting as the sending side of the transfer.
- The attacker sends specially crafted compressed tokens designed to incrementally manipulate the 32 bit signed counter in the decoder without triggering any existing validation.
- At a calculated point, the counter overflows, causing the decoder to compute an out of bounds memory offset.
- The receiver process reads from the out of bounds location and returns the contents to the attacker over the network as part of the protocol response.
- The attacker collects the leaked memory, which may contain environment variables (often holding API keys and configuration secrets), plaintext passwords, heap and stack data reflecting application state, and library memory pointers.
Impact Breakdown
| Data Type Exposed | Security Implication |
|---|---|
| Environment Variables | May contain API keys, configuration secrets, and internal network details. |
| Passwords | Direct credential theft leading to unauthorized access. |
| Heap and Stack Data | Exposure of application state and sensitive user data processed by the daemon. |
| Library Memory Pointers | Bypasses ASLR protections to enable secondary code execution attacks. |
The disclosure of library memory pointers is particularly consequential because it directly undermines Address Space Layout Randomization. With knowledge of where shared libraries are mapped in the receiver's address space, an attacker can construct reliable exploits for secondary vulnerabilities that would otherwise be mitigated by ASLR.
Severity Scoring
From a network perspective, exploitation requires no user interaction and only low privileges. The attack vector is network based with low complexity.
| Source | Framework | Score | Key Metrics |
|---|---|---|---|
| GitHub Security Advisory | CVSS 3.1 | 8.1 (High) | Network Vector, Low Complexity, High Confidentiality, High Availability |
| VulnCheck | CVSS 4.0 | 6.1 (Medium) | Network Vector, Low Complexity, High Vulnerable System Confidentiality |
The scoring difference reflects how the two CVSS frameworks weight confidentiality and availability impacts differently. Organizations relying on automated score based patching thresholds should be aware of this discrepancy.
Affected Systems and Versions
All rsync versions up to and including 3.4.2 are affected. The vulnerability is resolved in version 3.4.3.
Specifically, any rsync deployment where the receiver accepts connections from untrusted senders and uses compression is vulnerable. This includes rsync daemons exposed to the network that have not explicitly disabled compression via configuration.
For environments where immediate patching is not feasible, compression can be disabled on rsync daemons by adding the following to rsyncd.conf:
refuse options = compress
This prevents the daemon from engaging the vulnerable compressed token decoder.
Vendor Security History
This vulnerability arrives alongside other recent rsync security issues. CVE-2026-41035 is a use after free vulnerability affecting rsync versions 3.0.1 through 3.4.1. The presence of multiple memory safety issues in recent releases highlights the ongoing challenges of maintaining a C codebase that handles complex protocol parsing and compression.
The rsync project, maintained by Wayne Davison and hosted under the RsyncProject organization on GitHub, responded promptly by releasing version 3.4.3 with the combined security fixes. The discovery of CVE-2026-43618 was credited to security researcher Omar Elsayed.



