Description
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
Published: 2026-05-20
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rsync under version 3.4.3 has a symlink race condition in numerous path‑based system calls such as chmod, lchown, utimes, rename, and others. The lack of atomic path resolution allows a local attacker who can influence the target path to shift a symlink during the short window between pathname verification and syscall execution, thereby applying permissions, ownership, timestamps, or filenames to files outside the exported rsync module. This flaw represents a classic race condition and an improper path handling weakness.

Affected Systems

The vulnerability affects the RsyncProject rsync software. Versions 3.4.2 and all earlier releases are impacted; upgrading to version 3.4.3 or later removes the flaw.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity potential. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. An attacker must run locally on the host with filesystem access to the rsync daemon and exploit the timing window while the daemon is configured with "use chroot = no". Successful exploitation can cause arbitrary file system changes, potentially escalating privileges or compromising data integrity.

Generated by OpenCVE AI on May 20, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the rsync installation to version 3.4.3 or later
  • Configure the rsync daemon to use chroot by setting "use chroot = yes" so file operations are confined to the export root
  • If upgrading or chroot configuration is not immediately possible, restrict local filesystem access to the rsync process and monitor for abnormal file changes to mitigate risk

Generated by OpenCVE AI on May 20, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4591-1 rsync security update
Debian DSA Debian DSA DSA-6282-1 rsync security update
Ubuntu USN Ubuntu USN USN-8283-1 rsync vulnerabilities
History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Rsync Project
Rsync Project rsync
Vendors & Products Rsync Project
Rsync Project rsync

Wed, 20 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
Title Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls
Weaknesses CWE-367
CWE-59
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rsync Project Rsync
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T13:09:14.169Z

Reserved: 2026-05-01T18:22:45.639Z

Link: CVE-2026-43619

cve-icon Vulnrichment

Updated: 2026-05-20T13:09:09.691Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T02:16:36.577

Modified: 2026-05-20T13:58:07.923

Link: CVE-2026-43619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:40Z

Weaknesses