Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighPublic exploit

Rsync checksum comparison uninitialized stack memory disclosure

IdentifiersCVE-2024-12085CWE-908· Use of Uninitialized Resource

CVE-2024-12085 is an information disclosure vulnerability in the rsync server/daemon implementation affecting rsync versions up to and including 3.3.0. The flaw is triggered during file checksum comparison logic, where an attacker can manipulate the checksum length parameter (s2length) so that rsync compares a checksum against uninitialized memory. As a result, the daemon can disclose one byte of uninitialized stack data at a time to a remote attacker. The issue is described as occurring in the rsync daemon rather than the rsync client application.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote disclosure of uninitialized stack memory from the rsync daemon, leaking one byte at a time. The primary security consequence is loss of confidentiality; the provided content does not indicate direct integrity or availability impact from this CVE alone. Depending on surrounding memory contents and repeated exploitation, the leak could expose sensitive process data useful for further attacks.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the rsync daemon by restricting or blocking network access to TCP port 873 and limiting access to trusted hosts/networks only. The content also notes a build-time mitigation: compiling rsync with '-ftrivial-auto-var-init=zero' to zero-initialize stack variables and prevent disclosure of uninitialized stack data.

Remediation

Patch, then assume compromise.

Upgrade rsync to a fixed release. The provided content indicates that the rsync project released fixes for CVE-2024-12085 and that affected versions are 3.3.0 and earlier; other content recommends upgrading to rsync 3.4.0 or later, and distribution users should install vendor-patched packages. For Red Hat-derived environments, apply the relevant patched rsync/rsync-daemon packages from the vendor advisories.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
cve-2024-12085MaturityPoCVerified exploit

This repository contains a proof-of-concept exploit for CVE-2024-12085, an infoleak vulnerability in rsync 3.2.7. The main exploit is implemented in 'exploit.py', which connects to a hardcoded rsync server at 127.0.0.1:1234, targeting a module named 'test' and a file 'hello.txt'. The exploit crafts and sends a series of protocol messages to the rsync server, exploiting the vulnerability to leak up to 56 bytes of stack memory, which are then printed as 8-byte words. The exploit is not versatile; it is hardcoded for the specific module and file, and checksum calculation is not fully automated. Supporting files include 'checksum.py' (for checksum calculation, incomplete), 'port-forwarding.py' (a TCP port forwarding utility for capturing traffic), and 'test.sh' (a bash script to automate testing with a local rsync daemon). The attack vector is network-based, requiring access to the rsync service. The exploit does not provide remote code execution or shell access, but demonstrates the ability to leak sensitive memory from the server process.

OtsutezDisclosed Jul 24, 2025pythonbashnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AlmalinuxAlmalinuxoperating_system
ArchlinuxArch Linuxoperating_system
GentooLinuxoperating_system
HPE Aruba NetworkingManagement Software (Airwave)application
NixosNixosoperating_system
Red HatEnterprise Linuxoperating_system
Red HatEnterprise Linux Eusoperating_system
Red HatEnterprise Linux For Arm 64operating_system
Red HatEnterprise Linux For Arm 64 Eusoperating_system
Red HatEnterprise Linux For Ibm Z Systemsoperating_system
Red HatEnterprise Linux For Ibm Z Systems Eusoperating_system
Red HatEnterprise Linux For Power Little Endianoperating_system
Red HatEnterprise Linux For Power Little Endian Eusoperating_system
Red HatEnterprise Linux Serveroperating_system
Red HatEnterprise Linux Server Ausoperating_system
Red HatEnterprise Linux Server For Power Little Endian Update Services For Sap Solutionsoperating_system
Red HatEnterprise Linux Server Tusoperating_system
Red HatEnterprise Linux Update Services For Sap Solutionsoperating_system
Red HatOpenshiftapplication
Red HatOpenshift Container Platformapplication
SambaRsyncapplication
SuseSuse Linuxoperating_system
TritondatacenterSmartosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
support hpeNews
Nov 18, 2025
HPESBNW04971 rev.1 - HPE Aruba Networking Management Software (AirWave), Multiple Vulnerabilities

One of a set of Rsync daemon vulnerabilities (Rsync <= 3.3.0) that can contribute to remote code execution, directory traversal, and/or sensitive information disclosure.

Read more
sysdig blogNews
Jan 17, 2025
Detecting and mitigating CVE-2024-12084: rsync remote code execution

An information leak vulnerability in rsync.

Read more
almalinuxNews
Jan 17, 2025
AlmaLinux OS - Forever-Free Enterprise-Grade Operating System

An rsync server vulnerability that can lead to remote code execution.

Read more
kyberturvallisuuskeskus alertsNews
Jan 16, 2025
Kriittinen rsync-haavoittuvuus vaatii välitöntä korjausta | Traficom

One of several additional vulnerabilities in the Rsync server implementation for which the Rsync project released fixes.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-12085
NVD
nvd.nist.gov/vuln/detail/CVE-2024-12085
MITRE CWE · CWE-908
Use of Uninitialized Resource
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0324
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0325
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0637
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0688
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0714
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0774
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0787
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0790
Third Party Advisory
access.redhat.com/errata/RHSA-2025:0849
+19 more references
view more in app