CVEFinder.io

CVE-2026-29518

⚠️ high
πŸ” Scan for this CVE
Summary

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This

Description

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

CVSS Score
7.0
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-20
First Seen: 2026-05-21
πŸ“Š Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 51.9% of all 329,456 vulnerabilities in our database.

#158,616
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Total
Complete system compromise possible
πŸ† Discovered By
Nullx3D (Batuhan SANCAK) Michael Stapelberg Damien Neil
SSVC data provided by CISA
Last Modified 2026-05-26
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-367

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
samba rsync Affected
< 3.4.3

πŸ”— References 4

https://github.com/RsyncProject/rsync/pull/895/chang...
Patch
https://github.com/RsyncProject/rsync/releases/tag/v...
Release Notes
https://michael.stapelberg.ch/posts/2026-05-24-minim...
https://www.vulncheck.com/advisories/rsync-toctou-ra...
Third Party Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-43617 πŸ”Ά medium 4.8 0.0 Rsync versionΒ 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access... 2026-05-20
CVE-2026-43618 ⚠️ high 8.1 0.1 Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit ... 2026-05-20
CVE-2026-43619 πŸ”Ά medium 6.3 0.0 Rsync versionΒ 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod... 2026-05-20
CVE-2026-43620 πŸ”Ά medium 6.5 0.0 Rsync versionΒ 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receive... 2026-05-20
CVE-2026-45232 ℹ️ low 3.1 0.0 Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connect... 2026-05-20
CVE-2026-41035 ⚠️ high 7.4 0.0 In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiv... 2026-04-16
These CVEs affect the same products