PatchSiren cyber security CVE debrief
CVE-2026-45232 Samba CVE debrief
CVE-2026-45232 affects Rsync versions before 3.4.3 and is a low-severity memory corruption flaw in HTTP proxy handling. The issue is an off-by-one out-of-bounds stack write in establish_proxy_connection() in socket.c, triggered when a malformed proxy response line of 1023 or more bytes is sent without a newline terminator. The vulnerability can be reached over the network, but it requires user interaction in the form of RSYNC_PROXY being set and a proxy path the attacker can influence or intercept.
- Vendor
- Samba
- Product
- Rsync
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Administrators and developers who use Rsync with the RSYNC_PROXY environment variable enabled, especially in environments where proxy traffic may be controlled, intercepted, or otherwise influenced by an attacker. Security teams should also care about systems pinned to Rsync releases earlier than 3.4.3.
Technical summary
NVD describes the weakness as CWE-193 (off-by-one error). In affected versions, a malformed HTTP proxy response can cause a null byte to be written one byte past the intended stack buffer boundary in establish_proxy_connection(). The CVSS v4.0 vector reflects network reachability, high attack complexity, and required user interaction, with low availability impact and no identified confidentiality or integrity impact in the record.
Defensive priority
Low to moderate. The CVSS score is low, but the flaw is memory-corruption related and is reachable over the network when proxy conditions are met. Prioritize remediation on exposed or proxy-dependent Rsync deployments, then confirm all installations are at 3.4.3 or later.
Recommended defensive actions
- Upgrade Rsync to version 3.4.3 or later.
- Review whether RSYNC_PROXY is used in production or privileged automation contexts.
- If proxy use is required, restrict which proxy endpoints can be reached and reduce the chance of attacker-controlled proxy responses.
- Inventory hosts running affected Rsync versions and verify package manager or vendor backports where applicable.
- Monitor vendor and release-note guidance for any additional hardening or backported fixes.
Evidence notes
The CVE record and NVD entry identify Rsync before 3.4.3 as vulnerable and describe an off-by-one out-of-bounds stack write in establish_proxy_connection() in socket.c. The supplied description states the trigger is a malformed HTTP proxy response line of 1023 or more bytes without a newline terminator, and that exploitation depends on RSYNC_PROXY being set. The NVD metadata classifies the weakness as CWE-193 and shows CVSS 4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L. Release notes and vendor advisory links are provided as mitigation references for the 3.4.3 fix.
Official resources
-
CVE-2026-45232 CVE record
CVE.org
-
CVE-2026-45232 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE published on 2026-05-20 and last modified on 2026-05-21. The supplied source record is NVD-analyzed and includes vendor and release-note references for the 3.4.3 fix.