rsync 3.4.3 patches six CVEs, two reachable without daemon mode

rsync 3.4.3 landed on May 20 with fixes for six CVEs. Two of them do not require you to run rsync in daemon mode. If you sync against any server you do not fully control, those two are the ones that matter.

CVE-2026-43618 (CVSS 8.1, HIGH) is an integer overflow in the compressed-token decoder. A malicious rsync server can leak client memory during a normal rsync pull. No special configuration on your end. No daemon. Just a pull from an untrusted source.

CVE-2026-43620 (CVSS 6.5, MEDIUM) is an out-of-bounds read in recv_files(). A malicious server can cause a client-side denial of service during a pull.

The other four CVEs

The remaining four have narrower exposure:

The default use chroot = yes configuration protects against several of the daemon-mode issues. If you run rsync daemon with chroot disabled, your exposure is wider -- update first, review configuration second.

Who should update now

The shortest path to "should I update today?": do you sync against external servers, CI artifact stores, backup targets, or any host you do not personally administer? If yes, CVE-2026-43618 applies to you.

Distribution packages are moving. Red Hat advisory RHSA-2026:6436 is already out. Debian and Ubuntu packages are in progress -- check your package manager.

# Verify current version
rsync --version
 
# Debian/Ubuntu
apt-get update && apt-get install rsync
 
# RHEL/Rocky/AlmaLinux
dnf update rsync

After updating, verify the version string shows 3.4.3.

What the release includes beyond CVE fixes

The advisory notes that 3.4.3 also includes defense-in-depth hardening beyond the six CVE patches. No details are published yet on what that covers, which is standard for a security-first release.

For context on how coordinated security releases across multiple branches look in practice, see CVE-2026-46680: containerd patched across all active branches.

Sources: oss-security announcement; rsync CVE fix PR; RHSA-2026:6436