CVE-2026-29518
Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write
CVSS Score
7.0
EPSS Score
0.0%
EPSS Percentile
0th
Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
| CWE | CWE-367 |
| Vendor | rsyncproject |
| Product | rsync |
| Published | May 20, 2026 |
| Last Updated | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for rsyncproject rsync
Be the first to know when new high vulnerabilities affecting rsyncproject rsync are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
RsyncProject / rsync
0 < 3.4.3
References
github.com: https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d github.com: https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 michael.stapelberg.ch: https://michael.stapelberg.ch/posts/2026-05-24-minimal-memory-safe-go-rsync-vulns/ vulncheck.com: https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-29518 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2469055 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29518.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:26332 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:26410 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:26408 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:29197
Credits
Nullx3D (Batuhan SANCAK) Michael Stapelberg Damien Neil