Description
Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
Published: 2026-05-20
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A time‑of‑check to time‑of‑use race condition exists in the rsync daemon that allows an attacker with write access to a module path to redirect a file write outside the intended directory by creating symbolic links in parent directories. When the daemon operates with elevated privileges, this flaw can be used to overwrite or create sensitive system files, thereby providing a path to privilege escalation. The weakness is classified as CWE‑367. The attack requires the daemon’s chroot setting to be disabled and the attacker must be able to write to the module path, making the attack surface limited to vulnerable rsync installations that expose writable modules and run in a non‑chrooted environment.

Affected Systems

The rsync project’s rsync daemon, versions prior to 3.4.3. Any deployment of older rsync releases that exposes writable module paths and runs the daemon with elevated privileges is vulnerable.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity impact. Because no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the current exploitation probability is unknown but the flaw’s nature suggests it could be exploited in targeted scenarios where the conditions are met. The likely attack vector is remote access to the rsync daemon, involving manipulation of user‑supplied paths under the attacker’s control.

Generated by OpenCVE AI on May 20, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to rsync version 3.4.3 or later
  • Configure the rsync daemon to run with the chroot option enabled to isolate file operations
  • Restrict write permissions to rsync module paths to authorized users only

Generated by OpenCVE AI on May 20, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4591-1 rsync security update
Debian DSA Debian DSA DSA-6282-1 rsync security update
Ubuntu USN Ubuntu USN USN-8283-1 rsync vulnerabilities
History

Thu, 21 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Samba
Samba rsync
CPEs cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*
Vendors & Products Samba
Samba rsync

Thu, 21 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Rsync Project
Rsync Project rsync
Vendors & Products Rsync Project
Rsync Project rsync

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
Title Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Rsync Project Rsync
Samba Rsync
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T14:50:31.650Z

Reserved: 2026-03-04T15:39:26.872Z

Link: CVE-2026-29518

cve-icon Vulnrichment

Updated: 2026-05-20T14:50:19.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T13:16:17.040

Modified: 2026-05-21T17:05:55.750

Link: CVE-2026-29518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:15:06Z

Weaknesses