Which versions of Rsync are affected by EUVD-2026-31100?

Rsync daemon versions 3.4.2 and earlier enable local privilege escalation when configured with 'use chroot = no', permitting authenticated users to overwrite files outside their authorized scope and…. A patch is available.

Rsync EUVD-2026-31100

Q: What is the CVSS score of EUVD-2026-31100?

EUVD-2026-31100 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-29518 HIGH

Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

2026-05-20 VulnCheck

GHSA-pfv9-gp3h-73xv

Privilege Escalation

7.3

CVSS 4.0

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 20, 2026 - 13:31 vuln.today

Analysis Generated

May 20, 2026 - 13:31 vuln.today

CVSS changed

May 20, 2026 - 13:22 NVD

7.0 (HIGH) 7.3 (HIGH)

DescriptionNVD

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

AnalysisAI

Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. …

RemediationAI

24 hours: Inventory all Rsync daemon instances; identify which use 'use chroot = no'; audit local user accounts with write access to modules. 7 days: Enable 'use chroot = yes' where operationally feasible, or restrict module write permissions via filesystem ACLs; disable non-essential module access for untrusted local users. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

EUVD-2026-31100 vulnerability details – vuln.today

Back

Rsync EUVD-2026-31100

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Vendor StatusVendor

Share

Rsync EUVD-2026-31100

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code