CVE-2026-29518

HIGH 7.0

Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write

CVSS Score

7.0

EPSS Score

0.0%

EPSS Percentile

0th

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

CWE	CWE-367
Vendor	rsyncproject
Product	rsync
Published	May 20, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for rsyncproject rsync

Be the first to know when new high vulnerabilities affecting rsyncproject rsync are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

RsyncProject / rsync

0 < 3.4.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d github.com: https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 vulncheck.com: https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write

Credits

Nullx3D (Batuhan SANCAK) Michael Stapelberg Damien Neil