CVE-2024-12084

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

Published: Jan 15, 2025
Updated: Jun 19, 2025
CVE: CVE-2024-12084
Exploit:

No technical information available.

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
samba / rsync	3.2.7	3.2.7.x
samba / rsync	3.3.0	3.3.0.x
almalinux / almalinux	10.0	10.0.x
nixos / nixos	-	24.11
nixos / nixos	24.11	24.11.x
tritondatacenter / smartos	-	20250123
redhat / enterprise_linux	10.0	10.0.x

http://www.openwall.com/lists/oss-security/2025/01/14/6
https://access.redhat.com/security/cve/CVE-2024-12084
https://bugzilla.redhat.com/show_bug.cgi?id=2330527
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj
https://kb.cert.org/vuls/id/952657

Vulnerability Database

289,599

CVE-2024-12084