{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-43620: fix client SIGSEGV via parent_ndx<0 in receiver\n- CVE-2026-43617: fix hostname ACL bypass via post-chroot DNS lookup", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779787578", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779787578" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/advisories/2026/clsa-2026_1779787578.json" } ], "tracking": { "current_release_date": "2026-05-26T09:26:53Z", "generator": { "date": "2026-05-26T09:26:53Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1779787578", "initial_release_date": "2026-05-26T09:26:53Z", "revision_history": [ { "date": "2026-05-26T09:26:53Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "rsync: Fix of 2 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "product": { "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "product_id": "rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync@3.2.5-3.el9_6.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "product": { "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "product_id": "rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync@3.2.5-3.el9_6.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "product": { "name": "rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "product_id": "rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync@3.2.5-3.el9.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "product": { "name": "rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "product_id": "rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync@3.2.5-3.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "product": { "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "product_id": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-daemon@3.2.5-3.el9_6.tuxcare.els4?arch=noarch" } } }, { "category": "product_version", "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "product": { "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "product_id": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-rrsync@3.2.5-3.el9_6.tuxcare.els4?arch=noarch" } } }, { "category": "product_version", "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "product": { "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "product_id": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-rrsync@3.2.5-3.el9_6.tuxcare.els3?arch=noarch" } } }, { "category": "product_version", "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "product": { "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "product_id": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-daemon@3.2.5-3.el9_6.tuxcare.els3?arch=noarch" } } }, { "category": "product_version", "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "product": { "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "product_id": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-rrsync@3.2.5-3.el9.tuxcare.els2?arch=noarch" } } }, { "category": "product_version", "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "product": { "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "product_id": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-daemon@3.2.5-3.el9.tuxcare.els2?arch=noarch" } } }, { "category": "product_version", "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "product": { "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "product_id": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-rrsync@3.2.5-3.el9.tuxcare.els1?arch=noarch" } } }, { "category": "product_version", "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "product": { "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "product_id": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-daemon@3.2.5-3.el9.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64" }, "product_reference": "rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch" }, "product_reference": "rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch" }, "product_reference": "rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-43617", "cwe": { "id": "CWE-289", "name": "Authentication Bypass by Alternate Name" }, "notes": [ { "category": "description", "text": "Rsync versionĀ 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" ], "known_affected": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-43617" }, { "category": "external", "summary": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3", "url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3" }, { "category": "external", "summary": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f", "url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f" }, { "category": "external", "summary": "https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution", "url": "https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution" } ], "release_date": "2026-05-20T02:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-26T09:26:21.236951Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779787578", "product_ids": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779787578" }, { "category": "none_available", "date": "2026-05-20T02:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-43620", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "Rsync versionĀ 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" ], "known_affected": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-43620" }, { "category": "external", "summary": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3", "url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3" }, { "category": "external", "summary": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvm", "url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvm" }, { "category": "external", "summary": "https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-files", "url": "https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-files" } ], "release_date": "2026-05-20T02:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-26T09:26:21.236951Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779787578", "product_ids": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779787578" }, { "category": "none_available", "date": "2026-05-20T02:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els1.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9.tuxcare.els2.x86_64", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els3.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els3.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els1.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9.tuxcare.els2.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els3.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "AlmaLinux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "AlmaLinux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-0:3.2.5-3.el9_6.tuxcare.els4.x86_64", "Rocky Linux-9.6:rsync-daemon-0:3.2.5-3.el9_6.tuxcare.els4.noarch", "Rocky Linux-9.6:rsync-rrsync-0:3.2.5-3.el9_6.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }