CVE-2026-43620 Samba CVE debrief

Who should care

Organizations and users that run rsync clients against third-party, partner, or otherwise untrusted rsync servers should care most. This is especially relevant for automated sync jobs, backup workflows, and systems where a client crash would disrupt availability or job completion.

Technical summary

The issue is in recv_files() within receiver.c on the client side. According to the supplied description, a malicious server can set CF_INC_RECURSE in compatibility flags and send a specially crafted file list so the first sorted entry is not the leading dot directory. A subsequent transfer record with ndx=0 and an iflag word without ITEM_TRANSFER can cause the receiver to read 8 bytes before an allocated pointer array and dereference an invalid pointer at an unmapped address. The result is a client-side crash rather than a reported memory disclosure or code execution in the supplied material.

Defensive priority

Medium. The vulnerability is network-reachable but requires user interaction in the form of the client connecting to a malicious server. Prioritize faster remediation for environments that sync from untrusted or externally supplied rsync endpoints because the practical impact is denial of service.

Recommended defensive actions

• Upgrade rsync to 3.4.3 or later, as indicated by the vendor release notes and advisory.
• Inventory systems that use rsync as a client, especially backup, mirroring, and automation jobs that connect to external servers.
• Treat rsync servers and endpoints as trusted only when their operator and content are controlled; avoid syncing from unknown servers.
• If immediate upgrade is not possible, restrict which servers rsync clients may connect to and monitor for unexpected client crashes or failed sync jobs.
• Validate any scheduled jobs or scripts that invoke rsync so affected versions are identified quickly in affected fleets.

Evidence notes

The supplied CVE record states that rsync 3.4.2 and prior contain a receiver-side out-of-bounds array read in recv_files() in receiver.c. NVD maps the affected CPE to samba:rsync versions through 3.4.2 and lists CVSS 4.0 with availability impact only. The referenced vendor release notes for rsync v3.4.3 and the linked GitHub security advisory are the authoritative remediation sources provided in the corpus. Published date used here is the CVE publication timestamp of 2026-05-20; the later modified timestamp is 2026-05-21 and is not treated as the issue date.

Official resources