Back

Multiple rsync Vulnerabilities Affect Ubuntu 22.04, 24.04, 25.10, and 26.04 LTS

Severity: High (Score: 74.0)

Sources: Ubuntu, Linuxsecurity

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: ubuntu, rsync, issues, security, issue, read, important

Severity indicators: issue, security issue

Summary

Several vulnerabilities were identified in the rsync tool affecting multiple Ubuntu LTS versions. CVE-2025-10158 allows remote attackers to cause a denial of service through a heap-based out-of-bounds read. CVE-2026-29518 exposes rsync daemons without chroot protection to race conditions, enabling local attackers to overwrite files or escalate privileges. Additional vulnerabilities (CVE-2026-41035, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, CVE-2026-45232) were also discovered, some allowing denial of service or information disclosure. Affected systems include Ubuntu 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS. Users are advised to update their systems to mitigate these risks. Key Points: • rsync vulnerabilities affect Ubuntu 22.04, 24.04, 25.10, and 26.04 LTS. • CVE-2025-10158 and CVE-2026-29518 pose significant risks including denial of service and privilege escalation. • Immediate updates are necessary to secure affected systems against these vulnerabilities.

Detailed Analysis

**Impact** Ubuntu 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS users are affected by multiple vulnerabilities in rsync, a widely used file-copying tool. The issues allow remote attackers to cause denial of service and local attackers with write access to escalate privileges, overwrite files, or obtain sensitive information. The vulnerabilities impact systems globally across sectors relying on these Ubuntu versions for file synchronization and backup operations, potentially disrupting business continuity and exposing sensitive data. **Technical Details** Exploits include heap-based out-of-bounds reads (CVE-2025-10158), race conditions in daemons without chroot protection (CVE-2026-29518, CVE-2026-43619), improper validation of length and index values (CVE-2026-41035, CVE-2026-43620), reverse-DNS lookup bypasses (CVE-2026-43617), integer overflow issues (CVE-2026-43618), and off-by-one errors in HTTP proxy handling (CVE-2026-45232). Attack vectors involve remote attackers with read access or local attackers with write access to rsync modules. No specific malware or IOCs were reported. **Recommended Response** Apply the updated rsync packages immediately: Ubuntu 26.04 LTS (3.4.1+ds1-7ubuntu0.2), 25.10 (3.4.1+ds1-5ubuntu1.2), 24.04 LTS (3.2.7-1ubuntu1.4), and 22.04 LTS (3.2.7-0ubuntu0.22.04.6). Restart rsync daemons after patching to ensure changes take effect. Harden configurations by enabling chroot protection where applicable and monitor for unusual file modifications or service disruptions. No additional detection signatures or IOCs are currently available.

Source articles (2)

  • Ubuntu 26.04 LTS rsync Important Denial of Service Issues CVE-2025 — Linuxsecurity · 2026-05-20
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in rsync. Sof…
  • USN-8283-1: rsync vulnerabilities — Ubuntu · 2026-05-20
    Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers. A remote attacker with read access to an rsync server could possibly use this issue to cause…

Timeline

  • 2025-11-18 — CVE-2025-10158 published: Heap-based out-of-bounds read vulnerability in rsync allows remote denial of service.
  • 2026-04-16 — CVE-2026-41035 published: Vulnerability discovered in rsync related to improper validation of length values.
  • 2026-05-20 — Multiple CVEs published: CVE-2026-29518, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, and CVE-2026-45232 disclosed, affecting rsync.
  • 2026-05-20 — CVE-2026-43620 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-43617 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-45232 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-43618 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-29518 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-43619 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2025-10158
  • CVE-2026-29518
  • CVE-2026-41035
  • CVE-2026-43617
  • CVE-2026-43618
  • CVE-2026-43619
  • CVE-2026-43620
  • CVE-2026-45232

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • Cwe-362 - Race Condition (Cwe)
  • Rsync (Tool)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed