CVE-2026-43619

MEDIUM 6.3

Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

CWE	CWE-367 CWE-59
Vendor	rsyncproject
Product	rsync
Published	May 20, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for rsyncproject rsync

Be the first to know when new medium vulnerabilities affecting rsyncproject rsync are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

RsyncProject / rsync

0 < 3.4.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735 github.com: https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 vulncheck.com: https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls

Credits

Andrew Tridgell (@tridge)