Ubuntu 26.04 LTS Usn-8349-2 Rsync Denial Of Service Fix

ubuntu

June 8, 2026

USN-8349-1 introduced regressions in rsync.

Summary

USN-8349-1 introduced regressions in rsync.

Software Description:

- rsync: fast, versatile, remote (and local) file-copying tool

Details:

USN-8349-1 fixed vulnerabilities in rsync. The update introduced multiple

regressions in rsync functionality. This update fixes the problem.

Original advisory details:

Calum Hutton discovered that rsync contained a heap-based out-of-bounds

read when handling file transfers. A remote attacker with read access

to an rsync server could possibly use this issue to cause a denial of

service. (CVE-2025-10158)

Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that

rsync daemons configured without chroot protection were exposed to a

race condition on parent path components. A local attacker with write

access to a module could possibly use this issue to overwrite files,

obtain sensitive information, or escalate privileges.

(CVE-2026-29518)

It was discovered that rsync did not properly validate a length value

while sorting ex...

Read the Full Advisory

Topics Covered

security advisory denial of service Ubuntu rsync regression heap-based

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  rsync                           3.4.1+ds1-7ubuntu0.3

Ubuntu 25.10
  rsync                           3.4.1+ds1-5ubuntu1.3

Ubuntu 24.04 LTS
  rsync                           3.2.7-1ubuntu1.5

Ubuntu 22.04 LTS
  rsync                           3.2.7-0ubuntu0.22.04.7

After a standard system update you need to restart rsync daemons if
configured to make all the necessary changes.