Rsync Daemon File Handling Vulnerability in Rsync by Rsync Project
CVE-2026-29518

7.3HIGH

Key Information:

Vendor

Rsyncproject

Status
Rsync
Vendor
CVE Published:
20 May 2026

What is CVE-2026-29518?

Rsync versions prior to 3.4.3 are susceptible to a time-of-check to time-of-use (TOCTOU) race condition in the handling of daemon file operations. This vulnerability allows an attacker, who has write permissions to a module path, to exploit the race condition to redirect file writes to unintended directories. By replacing components of the parent directory with symbolic links, the attacker can create or overwrite arbitrary files. Should the daemon operate with elevated privileges and the chroot setting be disabled, this manipulation can potentially modify sensitive system files and lead to privilege escalation.

Affected Version(s)

rsync 0 < 3.4.3

References

https://github.com/RsyncProject/rsync/pull/895/changes/84...
issue-tracking
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
release-notes
https://www.vulncheck.com/advisories/rsync-toctou-race-co...
third-party-advisory

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nullx3D (Batuhan SANCAK)
Michael Stapelberg
Damien Neil
.