ALAS2-2026-3332

Amazon Linux 2 Security Advisory: ALAS2-2026-3332
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Important

References: CVE-2026-43618
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation. (CVE-2026-43618)

Affected Packages:

rsync

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update rsync or yum update --advisory ALAS2-2026-3332 to update your system.

New Packages:

aarch64:
    rsync-3.1.2-11.amzn2.0.7.aarch64
    rsync-debuginfo-3.1.2-11.amzn2.0.7.aarch64

i686:
    rsync-3.1.2-11.amzn2.0.7.i686
    rsync-debuginfo-3.1.2-11.amzn2.0.7.i686

src:
    rsync-3.1.2-11.amzn2.0.7.src

x86_64:
    rsync-3.1.2-11.amzn2.0.7.x86_64
    rsync-debuginfo-3.1.2-11.amzn2.0.7.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2026-43618

Mitre: CVE-2026-43618