CVE-2026-29518

HIGH EPSS 3.8%
Published May 20, 20261mo ago · Modified Jun 17, 20261w ago
7.3 CVSS 4.0
High
Find Similar
Published May 20, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

CVSS Details

Base Score
7.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
3.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-367

Affected Products 1

VendorProductVersionRange
sambarsync* <3.4.3

References 4

  • github.com https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d
    Patch
  • github.com https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
    Release Notes
  • michael.stapelberg.ch https://michael.stapelberg.ch/posts/2026-05-24-minimal-memory-safe-go-rsync-vulns/
  • vulncheck.com https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write
    Third Party Advisory

Remediation

  • github.com https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d
    Patch