Rsync Out-of-Bounds Array Read Vulnerability in Receiver Component Leading to Client Crash

A receiver-side out-of-bounds array read vulnerability has been identified in Rsync versions through 3.4.2. This vulnerability resides in the 'recv_files()' function of 'receiver.c' and allows a malicious Rsync server to crash the Rsync client process. Exploitation involves setting 'CF_INC_RECURSE' in the compatibility flags and sending a specially crafted file list. The first sorted entry must not be the leading dot directory, followed by a transfer record with 'ndx=0' and an 'iflag' word that excludes 'ITEM_TRANSFER'. This sequence causes the receiver to read 8 bytes before the allocated pointer array, dereference an invalid pointer at an unmapped address, and ultimately results in a deterministic 'SIGSEGV' crash of the Rsync client.

Impact

Exploitation of this vulnerability causes a segmentation fault (SIGSEGV) in the Rsync client, leading to a crash. This vulnerability is the receiver-side counterpart of CVE-2025-XXXXX, which affected the sender side.

Reproduction

To reproduce this vulnerability, a malicious Rsync server must be set up to include 'CF_INC_RECURSE' in the compatibility flags. The server should send a file list that includes a first sorted entry that is not the leading dot directory. Following this, the server must send a transfer record with 'ndx=0' and an 'iflag' word that does not include 'ITEM_TRANSFER', such as 'ITEM_IS_NEW'. This will trigger the out-of-bounds read in the 'recv_files()' function on the client side, causing a crash.

Remediation

Users should upgrade to Rsync version 3.4.3, which includes the necessary patch. Until upgrading, Rsync clients can disable the 'inc_recursive' feature by using the '--no-inc-recursive' option or by only pulling from trusted Rsync hosts.