CVE-2024-12086
6.1 MEDIUMA flaw was found in rsync
Published: 2025-01-14 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
- CWE
- CWE-390
Affected products
| Vendor | Product |
|---|---|
| almalinux | almalinux, arch_linux, enterprise_linux |
| archlinux | almalinux, arch_linux, enterprise_linux |
| gentoo | almalinux, arch_linux, enterprise_linux |
| nixos | almalinux, arch_linux, enterprise_linux |
| redhat | almalinux, arch_linux, enterprise_linux |
| samba | almalinux, arch_linux, enterprise_linux |
| suse | almalinux, arch_linux, enterprise_linux |
| tritondatacenter | almalinux, arch_linux, enterprise_linux |
Description
A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2024-12086
- [Other]https://access.redhat.com/errata/RHBA-2025:6470
- [Other]https://access.redhat.com/errata/RHSA-2026:19368
- [Other]https://access.redhat.com/errata/RHSA-2026:20603
- [Other]https://access.redhat.com/security/cve/CVE-2024-12086
- [Other]https://bugzilla.redhat.com/show_bug.cgi?id=2330577
- [Other]https://kb.cert.org/vuls/id/952657
- [Other]https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html
- [Other]https://security.netapp.com/advisory/ntap-20250131-0002/
- [Other]https://www.kb.cert.org/vuls/id/952657
- [Exploit reference]https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-48792 — pam_usb provides hardware authentication for Linux using ordinary removable media (4.4 MEDIUM)
- CVE-2026-44310 — Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity (5.4 MEDIUM)