A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.
The problem stems from improper handling of the attacker-controlled checksum length (s2length parameter) in the rsync daemon code. When the value MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH size of 16 bytes, it is possible to write data beyond the boundaries of the sum2 buffer on the heap. An attacker can craft an appropriate request to the rsync daemon, forcing an out-of-bounds write in the allocated memory area.
Successful exploitation of the vulnerability may allow an attacker to gain full control over the system, including remote code execution (RCE) or service disruption. Violation of confidentiality, integrity, and availability of data on the server is possible.
Apply patches available from the vendor according to the references. For Red Hat/AlmaLinux systems, errata RHBA-2025:6470 is available. Additional information is provided in the CERT/CC guide (VU#952657). If an update is not immediately possible, it is recommended to restrict access to the rsync daemon at the firewall level to trusted IP addresses only.
Rsync daemon in Samba Rsync, AlmaLinux, Arch Linux, and Gentoo Linux distributions — specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAlmalinux
OSAlmalinux10.0Archlinux Arch Linux
OSArchlinuxwszystkie wersjeGentoo Linux
OSGentoowszystkie wersjeNixos
OSNixos24.11< 24.11Novell SUSE Linux
OSNovellwszystkie wersjeRed Hat Enterprise Linux
OSRedhat10.0Samba Rsync
APPSamba3.2.73.3.0Tritondatacenter Smartos
OSTritondatacenter< 20250123
Related vulnerabilities
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserReso...
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the...
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variab...