{
  "threat_severity" : "Important",
  "public_date" : "2026-05-20T00:00:00Z",
  "bugzilla" : {
    "description" : "rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding",
    "id" : "2469054",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2469054"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.", "A flaw was found in rsync. An authenticated daemon peer can exploit an integer overflow vulnerability in the compressed-token decoder. By carefully manipulating the compressed-token, a malicious sender can trigger an overflow, leading to remote memory disclosure. This allows an attacker to leak sensitive process memory contents, including environment variables, passwords, and memory pointers, which significantly weakens Address Space Layout Randomization (ASLR) and can facilitate further exploitation." ],
  "statement" : "This flaw in rsync's compressed-token decoding allows an authenticated remote attacker to trigger an integer overflow. This can lead to memory disclosure, potentially exposing sensitive information such as environment variables or heap pointers, thereby weakening Address Space Layout Randomization (ASLR) and aiding further exploitation. The vulnerability is present when rsync is configured as a daemon with compression enabled, which is the default for protocols version 30 and higher.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26332",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "rsync-0:3.4.4-1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26408",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "rsync-0:3.1.3-27.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26410",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "rsync-0:3.2.5-7.el9_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26410",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "rsync-0:3.2.5-7.el9_8.2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43618\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43618" ],
  "name" : "CVE-2026-43618",
  "mitigation" : {
    "value" : "Disable compression on the rsync daemon by adding `refuse options = compress` to the `rsyncd.conf` file. A restart of the rsync daemon service is required for the change to take effect and may impact transfer performance.",
    "lang" : "en:us"
  },
  "csaw" : false
}