Samba Rsync
15 CVEs affecting Samba Rsync. Latest disclosed: 2026-05-20. Critical: 3, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-17434 | Critical | 9.8 | 2017-12-06 | The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv… |
CVE-2017-16548 | Critical | 9.8 | 2017-11-06 | The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote… |
CVE-2017-15994 | Critical | 9.8 | 2017-10-29 | rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE… |
CVE-2026-43618 | High | 8.1 | 2026-05-20 | Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overfl… |
CVE-2026-41035 | High | 7.4 | 2026-04-16 | In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run… |
CVE-2026-29518 | High | 7.0 | 2026-05-20 | Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file write… |
CVE-2026-43620 | Medium | 6.5 | 2026-05-20 | Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server… |
CVE-2026-43619 | Medium | 6.3 | 2026-05-20 | Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir… |
CVE-2024-12086 | Medium | 6.1 | 2025-01-14 | A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are b… |
CVE-2026-43617 | Medium | 4.8 | 2026-05-20 | Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configure… |
CVE-2017-17433 | Low | 3.7 | 2017-12-06 | The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before… |
CVE-2026-45232 | Low | 3.1 | 2026-05-20 | Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows… |
CVE-2014-9512 | | 2015-02-12 | rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path. | |
CVE-2014-2855 | | 2014-04-23 | The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption)… | |
CVE-2011-1097 | | 2011-03-30 | rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory… |