CVE-2026-29518

CVE-2026-29518

Name

CVE-2026-29518

Description

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
disclosure@vulncheck.com	https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d
disclosure@vulncheck.com	https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
disclosure@vulncheck.com	https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write
disclosure@vulncheck.com	https://michael.stapelberg.ch/posts/2026-05-24-minimal-memory-safe-go-rsync-vulns/

Type

URI

disclosure@vulncheck.com

https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d

disclosure@vulncheck.com

https://github.com/RsyncProject/rsync/releases/tag/v3.4.3

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write

disclosure@vulncheck.com

https://michael.stapelberg.ch/posts/2026-05-24-minimal-memory-safe-go-rsync-vulns/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:samba:rsync::::::::`	rsync	>= None	< 3.4.3

CPE URI

Source package

Min version

Max version

cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*

rsync

>= None

< 3.4.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
rsync	edge-main	3.4.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
rsync	edge-main	3.4.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.4.1-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.4.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.4.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.4.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.3.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.2.4-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.2.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.2.3-r5	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.2.3-r4	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.2.3-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	edge-main	3.1.2-r7	None	possibly vulnerable
rsync	3.23-main	3.4.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
rsync	3.23-main	3.4.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.23-main	3.4.1-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.23-main	3.4.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.22-main	3.4.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
rsync	3.22-main	3.4.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.22-main	3.4.1-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.22-main	3.4.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.22-main	3.4.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.22-main	3.4.0-r0	None	possibly vulnerable
rsync	3.22-main	3.2.4-r2	None	possibly vulnerable
rsync	3.22-main	3.1.2-r7	None	possibly vulnerable
rsync	3.21-main	3.4.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
rsync	3.21-main	3.4.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.21-main	3.4.1-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.21-main	3.4.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.21-main	3.4.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.21-main	3.3.0-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.21-main	3.3.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.21-main	3.2.4-r2	None	possibly vulnerable
rsync	3.21-main	3.1.2-r7	None	possibly vulnerable
rsync	3.20-main	3.4.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
rsync	3.20-main	3.4.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.20-main	3.4.1-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.20-main	3.4.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.20-main	3.4.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.20-main	3.3.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.20-main	3.2.4-r2	None	possibly vulnerable
rsync	3.20-main	3.1.2-r7	None	possibly vulnerable
rsync	3.19-main	3.4.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.19-main	3.4.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.19-main	3.2.7-r4	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
rsync	3.19-main	3.2.4-r2	None	possibly vulnerable
rsync	3.19-main	3.1.2-r7	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages