Home

Description

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-20 | Updated 2026-05-20 | Assigner VulnCheck




HIGH: 7.2CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.3CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

Time-of-check Time-of-use (TOCTOU) Race Condition

Improper Link Resolution Before File Access ('Link Following')

Product status

Default status
unaffected

Any version before 3.4.3
affected

Credits

Andrew Tridgell (@tridge) finder

References

github.com/.../rsync/security/advisories/GHSA-4h9m-w5ff-j735 vendor-advisory

github.com/RsyncProject/rsync/releases/tag/v3.4.3 release-notes

www.vulncheck.com/...-race-condition-via-path-based-syscalls third-party-advisory

cve.org (CVE-2026-43619)

nvd.nist.gov (CVE-2026-43619)

Download JSON