SB2026060484 - SUSE update for rsync
Published: June 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2024-12084)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling checksum lengths (s2length). A remote attacker can send specially crafted packets to the daemon, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Use of Uninitialized Variable (CVE-ID: CVE-2024-12085)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to information leak when comparing file checksums. A remote attacker can pass specially crafted data to the daemon and read 1 byte of uninitialized memory from stack.
3) Path traversal (CVE-ID: CVE-2024-12087)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote server to write files to arbitrary locations on the system.
The vulnerability exists due to input validation error when using "--inc-recursive" option. A remote attacker can can trick the victim into connecting to a rouge rsync server and write arbitrary files to arbitrary locations on the client system.
4) Path traversal (CVE-ID: CVE-2024-12088)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote server to write files to arbitrary locations on the system.
5) Race condition (CVE-ID: CVE-2024-12747)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a race condition when handling symbolic links. A local user can replace a file with a symbolic link, bypass implemented protection in rsync that prevents software from following symbolic links and read contents of arbitrary files on the system with elevated privileges.
6) Out-of-bounds read (CVE-ID: CVE-2025-10158)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to a boundary condition within the send_files() function in sender.c. A remote user can trigger an out-of-bounds read error and perform a denial of service attack.
7) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-29518)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information and overwrite files outside the module.
The vulnerability exists due to a time-of-check time-of-use symlink race condition in daemon mode path handling when processing file operations on parent path components without chroot. A local user can replace a parent directory component with a symlink between the check and open operation to disclose sensitive information and overwrite files outside the module.
Only daemon configurations with use chroot = no for a module are vulnerable.
8) Use-after-free (CVE-ID: CVE-2026-41035)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to use-after-free in receive_xattr() in xattrs.c when processing xattr data from a malicious rsync sender. A remote attacker can send specially crafted xattr metadata to cause a denial of service and disclose sensitive information.
Exploitation requires xattr transfer to be enabled. On Linux, additional conditions apply: the receiver must use --fake-super or an xattr filter that passes non-user namespace xattrs; on FreeBSD and macOS, configurations using xattrs are affected when more than one xattr is processed.
9) Improper access control (CVE-ID: CVE-2026-43617)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass hostname-based access controls.
The vulnerability exists due to improper access control in reverse-DNS lookup handling in rsync daemon mode when processing connections after entering the daemon chroot. A remote attacker can connect from a denied hostname and cause hostname-based deny rules to fail open to bypass hostname-based access controls.
Only daemon configurations with daemon chroot = /X are affected when the chroot tree lacks DNS resolution support. IP-based ACLs are unaffected.
10) Integer overflow (CVE-ID: CVE-2026-43618)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to an integer overflow in the compressed-token decoder when processing compressed token data from an authenticated daemon connection. A remote user can send crafted compressed-token data to disclose sensitive information.
The disclosed memory may include environment variables, passwords, heap data, and library pointers.
11) Link following (CVE-ID: CVE-2026-43619)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to overwrite files and manipulate filesystem objects outside the module.
The vulnerability exists due to symlink race conditions in path-based system calls in daemon mode when handling path-based system calls without chroot. A local user can replace path components with symlinks during filesystem operations to overwrite files and manipulate filesystem objects outside the module.
Only daemon configurations with use chroot = no for a module are vulnerable.
12) Out-of-bounds read (CVE-ID: CVE-2026-43620)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in recv_files() when processing a crafted file list and transfer record from a malicious server. A remote attacker can send a crafted file list and transfer record to cause a denial of service.
The issue is reachable by any client pulling from a malicious server, and no special options are required on the victim because inc_recurse is the protocol-30+ default.
13) Off-by-one (CVE-ID: CVE-2026-45232)
CWE-ID: CWE-193 - Off-by-one Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an off-by-one out-of-bounds stack write in establish_proxy_connection() in socket.c when processing the first response line from an HTTP CONNECT proxy. A remote attacker can return a pathological proxy response line without a newline terminator to cause a denial of service.
The issue is reachable only on the client side when RSYNC_PROXY is set, and the written byte is a fixed \0.
Remediation
Install update from vendor's website.