Rsync Vulnerabilities Affect Ubuntu Systems
TL;DR: Ubuntu has patched two vulnerabilities in the rsync utility. One flaw could allow a remote attacker to cause a denial of service, while another could let a local attacker overwrite files on systems with specific configurations. The issues affect recent versions of Ubuntu, including 22.04 and 24.04 LTS.
Key facts
- Category
- Cybersecurity
- Impact
- Low
- Published
- Source
- Ubuntu Security Notices
Full summary
Ubuntu has patched two security flaws in the rsync utility that could lead to denial of service or unauthorized file overwrites on servers.
Ubuntu has addressed two security vulnerabilities in the widely used rsync file transfer utility. The first issue, identified as CVE-2025-10158, is a heap-based out-of-bounds read that occurs when handling file transfers. A remote attacker with read access to an rsync server could exploit this flaw to trigger a denial of service, effectively crashing the service. This particular vulnerability affects Ubuntu versions 22.04 LTS, 24.04 LTS, and 25.10. The second vulnerability involves a race condition affecting rsync daemons that are configured without chroot protection. In this scenario, a local attacker who has write permissions to a specific module could potentially leverage the flaw to overwrite arbitrary files on the system.
These vulnerabilities are significant because rsync is a foundational tool for backups, deployments, and data synchronization. The remote denial-of-service flaw presents a direct threat to the availability of services that rely on rsync for data transfer. The local file overwrite vulnerability poses a risk to data integrity and could be used for privilege escalation on multi-user systems where security boundaries are critical. System administrators, DevOps teams, and security professionals managing Ubuntu infrastructure should take note, as unpatched systems remain exposed. The flaws highlight the importance of secure configuration, such as using chroot, in addition to timely software updates.
Why it matters
Rsync is a fundamental tool for backups and data synchronization. These flaws could disrupt services via denial of service or allow local attackers to overwrite system files, compromising data integrity and security on affected Ubuntu servers.
Business impact
Unpatched systems are at risk of service interruptions from denial-of-service attacks on rsync servers. Additionally, the local file overwrite flaw could lead to data corruption or unauthorized system access, impacting business operations and data security.
⚡ Action needed
Users are advised to update their rsync packages to the latest version to mitigate these vulnerabilities. Applying the security patches provided by Ubuntu is the recommended course of action.
Action checklist
- 1Identify all Ubuntu systems running affected versions (22.04, 24.04, 25.10).
- 2Use the system's package manager to apply the latest security patches for rsync.
- 3Verify that the rsync package has been successfully updated.
- 4Review rsync daemon configurations to ensure chroot protection is enabled where possible.
Tags
Primary source: Ubuntu Security Notices