Skip to main content

Rsync EUVDEUVD-2026-31010

| CVE-2026-43619 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-20 VulnCheck GHSA-pwrq-5rj3-c43m
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Red Hat
6.3 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 20, 2026 - 02:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 20, 2026 - 02:22 vuln.today
cvss_changed
Severity Changed
May 20, 2026 - 02:22 NVD
MEDIUM HIGH
CVSS changed
May 20, 2026 - 02:22 NVD
6.3 (MEDIUM) 7.2 (HIGH)
Patch available
May 20, 2026 - 02:01 EUVD
Source Code Evidence Fetched
May 20, 2026 - 01:44 vuln.today
Analysis Generated
May 20, 2026 - 01:44 vuln.today

DescriptionCVE.org

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

AnalysisAI

Symlink race condition in Rsync 3.4.2 and earlier allows local attackers with filesystem access to redirect path-based system calls (chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, lstat) to files outside the exported rsync module boundary. The flaw affects rsync daemons configured with 'use chroot = no' and was reported by VulnCheck; no public exploit identified at time of analysis. A patched release (v3.4.3) is available from the RsyncProject upstream, which adds openat2 RESOLVE_BENEATH for secure relative path resolution.

Technical ContextAI

Rsync is a widely deployed file synchronization utility (CPE cpe:2.3:a:rsyncproject:rsync) often run as a daemon to expose 'modules' (named directory trees) over the network. The vulnerability is a classic CWE-367 (Time-of-Check Time-of-Use, TOCTOU) race condition: rsync performs path resolution to verify a target lies within an exported module, then issues path-based syscalls (chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, lstat) on that path. Between resolution and syscall execution, an attacker with local filesystem access can swap a directory component with a symlink, causing the syscall to act on an arbitrary path. The 3.4.3 release adopts the Linux openat2 RESOLVE_BENEATH flag, which atomically refuses path resolution that escapes a base directory and closes the race window where it is available.

RemediationAI

Vendor-released patch: rsync 3.4.3 - upgrade from any version ≤3.4.2 to 3.4.3 or later (https://github.com/RsyncProject/rsync/releases/tag/v3.4.3), which incorporates openat2 RESOLVE_BENEATH for secure relative path resolution and a bundle of combined security fixes (PR #895, #887). If immediate patching is not possible, the most direct compensating control is to set 'use chroot = yes' in rsyncd.conf for every exported module so the daemon chroots into the module root before path operations - this neutralizes the symlink-escape primitive but requires the daemon to run as root and may break setups that rely on path access outside the module. Additional hardening: restrict daemon exposure to trusted local accounts only, run the daemon in a dedicated unprivileged UID with a per-module dataset on its own filesystem, and audit module roots so they contain no attacker-writable parent directories. Reference the GHSA-4h9m-w5ff-j735 advisory and the VulnCheck write-up for vendor-specific guidance.

More in Rsync

View all
CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

CVE-2024-12084 CRITICAL POC
9.8 Jan 15

A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2014-9512 MEDIUM POC
6.4 Feb 12

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization pa

CVE-2024-12087 HIGH POC
7.5 Jan 14

Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i

CVE-2022-29154 HIGH POC
7.4 Aug 02

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the d

CVE-2014-2855 HIGH
7.8 Apr 23

The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of serv

CVE-2024-12086 MEDIUM POC
6.8 Jan 14

A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authenticati

CVE-2017-16548 CRITICAL
9.8 Nov 06

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character

CVE-2017-17434 CRITICAL
9.8 Dec 06

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_

CVE-2017-15994 CRITICAL
9.8 Oct 29

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to by

CVE-2024-12088 HIGH
7.5 Jan 14

Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious

CVE-2026-41035 HIGH
7.8 Apr 16

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync w

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Image SLE-Micro-BYOS-EC2 Affected
Image SLES15-SP6 Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-BYOS-GCE Image SLES15-SP6-GCE Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-BYOS-GCE Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-HPC-GCE Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-Hardened-BYOS-GCE Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-GCE Image SLES15-SP7-HPC-BYOS-Azure Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed

Share

EUVD-2026-31010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy