CVEFinder.io

CVE-2026-43619

🔶 medium
🔍 Scan for this CVE
Summary

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenam

Description

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

CVSS Score
6.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-20
First Seen: 2026-05-21
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 39.2% of all 329,456 vulnerabilities in our database.

#200,263
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Andrew Tridgell (@tridge)
SSVC data provided by CISA
Last Modified 2026-05-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Vector 4.0 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-59 CWE-367

📦 Affected Products 1

Vendor Product Status Affected Versions
samba rsync Affected
< 3.4.2

🔗 References 3

https://github.com/RsyncProject/rsync/releases/tag/v...
Release Notes
https://github.com/RsyncProject/rsync/security/advis...
Vendor Advisory
https://www.vulncheck.com/advisories/rsync-symlink-r...
Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-43617 🔶 medium 4.8 0.0 Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access... 2026-05-20
CVE-2026-43618 ⚠️ high 8.1 0.1 Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit ... 2026-05-20
CVE-2026-43620 🔶 medium 6.5 0.0 Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receive... 2026-05-20
CVE-2026-45232 ℹ️ low 3.1 0.0 Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connect... 2026-05-20
CVE-2026-29518 ⚠️ high 7.0 0.0 Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that ... 2026-05-20
CVE-2026-41035 ⚠️ high 7.4 0.0 In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiv... 2026-04-16
These CVEs affect the same products