CVE-2024-12086 – This rsync vulnerability allows a malicious ser... (How to Fix)

Q: What is the severity of CVE-2024-12086?

CVE-2024-12086 has a CVSS score of 6.1 (MEDIUM). This rsync vulnerability allows a malicious server to read arbitrary files from a client's machine during file transfer operations. Attackers can reconstruct file contents byte-by-byte by sending specially crafted checksums. Anyone using rsync to copy files from client to server is potentially affected.

📋 TL;DR

This rsync vulnerability allows a malicious server to read arbitrary files from a client's machine during file transfer operations. Attackers can reconstruct file contents byte-by-byte by sending specially crafted checksums. Anyone using rsync to copy files from client to server is potentially affected.

💻 Affected Systems

Products:

rsync

Versions: Versions before 3.3.1

Operating Systems: Linux, Unix-like systems, Windows (via Cygwin or similar)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects rsync when used in client-to-server file transfer mode. Server-to-client transfers are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exfiltration of sensitive files from client systems including configuration files, credentials, or proprietary data.

🟠

Likely Case

Targeted extraction of specific files from rsync clients by compromised or malicious servers.

🟢

If Mitigated

Limited impact if rsync is only used between trusted endpoints with proper access controls.

🌐 Internet-Facing: MEDIUM - Requires client to initiate connection to malicious server, which is less common than server-initiated attacks.

🏢 Internal Only: MEDIUM - Internal malicious servers could exploit this against internal clients during normal rsync operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the client to initiate connection to a malicious server. The attack reconstructs files gradually through multiple requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: rsync 3.3.1 and later

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-12086

Restart Required: No

Instructions:

1. Update rsync to version 3.3.1 or later using your package manager. 2. For Red Hat/CentOS: 'yum update rsync'. 3. For Debian/Ubuntu: 'apt update && apt upgrade rsync'. 4. For source installation: Download and compile from rsync.samba.org.

🔧 Temporary Workarounds

Use --checksum-choice=xxh128

linux

Force use of xxh128 checksum algorithm which is not vulnerable to this attack

rsync --checksum-choice=xxh128 [other options]

Disable checksum negotiation

all

Use --no-checksum to disable checksum verification (reduces performance)

rsync --no-checksum [other options]

🧯 If You Can't Patch

Only use rsync with trusted servers and verify server authenticity before transfers
Implement network segmentation to restrict rsync traffic to authorized servers only

🔍 How to Verify

Check if Vulnerable:

Run 'rsync --version' and check if version is below 3.3.1

Check Version:

rsync --version | head -1

Verify Fix Applied:

Confirm rsync version is 3.3.1 or higher with 'rsync --version | head -1'

📡 Detection & Monitoring

Log Indicators:

Unusual rsync connection patterns to unfamiliar servers
Multiple rsync sessions with same client to different servers

Network Indicators:

Rsync traffic to unexpected external IP addresses
High volume of rsync checksum negotiation packets

SIEM Query:

source="rsync" AND (dest_ip NOT IN [trusted_servers]) | stats count by src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2024-12086

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE: CWE-390

EPSS Score: 0.47% exploit probability (64.2th percentile)

Published: January 14, 2025

Last Updated: November 3, 2025

🔗 References

https://access.redhat.com/security/cve/CVE-2024-12086 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2330577 Issue Tracking,Third Party Advisory
https://kb.cert.org/vuls/id/952657 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12086, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Almalinux by Almalinux

Almalinux by Almalinux

Almalinux by Almalinux

Arch Linux by Archlinux

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Linux by Gentoo

Nixos by Nixos

Openshift Container Platform by Redhat

Rsync by Samba

Smartos by Tritondatacenter

Suse Linux by Suse

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Use --checksum-choice=xxh128

Disable checksum negotiation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities