Rsync

This hub aggregates every CVE we track for Rsync, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Rsync.

• CVE-2026-29518Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write7.0May 20, 2026
• CVE-2026-43617Rsync < 3.4.3 Authorization Bypass via Hostname Resolution4.8May 20, 2026
• CVE-2026-43618Rsync < 3.4.3 Integer Overflow Information Disclosure8.1May 20, 2026
• CVE-2026-43619Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls6.3May 20, 2026
• CVE-2026-43620Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files()6.5May 20, 2026
• CVE-2026-45232Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy3.1May 20, 2026
• CVE-2026-41035In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux...7.4Apr 16, 2026
• CVE-2025-10158Rsync: Out of bounds array access via negative index4.3Nov 18, 2025
• CVE-2024-12084Rsync: heap buffer overflow in rsync due to improper checksum length handling9.8Jan 15, 2025
• CVE-2024-12087Rsync: path traversal vulnerability in rsync6.5Jan 14, 2025
• CVE-2024-12747Rsync: race condition in rsync handling symbolic links5.6Jan 14, 2025
• CVE-2024-12088Rsync: --safe-links option bypass leads to path traversal6.5Jan 14, 2025
• CVE-2024-12086Rsync: rsync server leaks arbitrary client files6.1Jan 14, 2025
• CVE-2024-12085Rsync: info leak via uninitialized stack contents7.5Jan 14, 2025
• CVE-2022-29154An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories ar...7.4Aug 2, 2022