Symlink Race Condition Vulnerability in Rsync by Rsync Project
CVE-2026-43619

7.2HIGH

Key Information:

Vendor

Rsyncproject

Status
Rsync
Vendor
CVE Published:
20 May 2026

What is CVE-2026-43619?

Rsync versions 3.4.2 and earlier are susceptible to symlink race condition vulnerabilities due to insecure handling of path-based system calls, including chmod, lchown, and rename. This flaw allows local attackers, with access to the filesystem, to exploit a timing window between path resolution and syscall execution. By swapping symlinks, attackers can apply arbitrary permissions, ownership, timestamps, or filenames to files outside the designated rsync module, particularly in environments where the 'use chroot = no' setting is configured on rsync daemons.

Affected Version(s)

rsync 0 < 3.4.3

References

https://github.com/RsyncProject/rsync/security/advisories...
vendor-advisory
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
release-notes
https://www.vulncheck.com/advisories/rsync-symlink-race-c...
third-party-advisory

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrew Tridgell (@tridge)
.