CVE-2024-12086

Name: CVE-2024-12086
Creator: NVD / NIST
Published: 2025-01-14T18:15:25.297+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.8/10EPSS 1.76%

Last modified Jun 25, 2026

CVE-2024-12086 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. EPSS estimates a 1.76% chance of exploitation in the next 30 days.

Description

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

Metrics

CVSS 3.1

6.8/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Probability

1.76%

75.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-390

Affected Software

Vendor	Product	Versions
Samba	Rsync	<= 3.3.0
Redhat	Openshift Container Platform	4.0
Redhat	Enterprise Linux	6.0
Redhat	Enterprise Linux	7.0
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux	9.0
Redhat	Enterprise Linux	10.0
Almalinux	Almalinux	8.0
Almalinux	Almalinux	9.0
Almalinux	Almalinux	10.0
Archlinux	Arch Linux	All versions
Gentoo	Linux	All versions
Nixos	Nixos	< 24.11
Suse	Suse Linux	All versions
Tritondatacenter	Smartos	< 20250123

References

https://access.redhat.com/errata/RHBA-2025:6470
https://access.redhat.com/errata/RHSA-2026:19368
https://access.redhat.com/errata/RHSA-2026:20603
https://access.redhat.com/errata/RHSA-2026:29197
https://access.redhat.com/security/cve/CVE-2024-12086Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2330577Issue Tracking, Third Party Advisory
https://kb.cert.org/vuls/id/952657Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqjExploit, Third Party Advisory

Timeline

Published: Jan 14, 2025
Last Modified: Jun 25, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-12086?

How severe is CVE-2024-12086?

CVE-2024-12086 has a CVSS score of 6.8/10 (MEDIUM severity). The EPSS model estimates a 1.76% probability of exploitation in the next 30 days.

How do I fix CVE-2024-12086?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-12086?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST