Skip to main content

Rsync EUVDEUVD-2026-31100

| CVE-2026-29518 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-20 VulnCheck GHSA-pfv9-gp3h-73xv
High
Disputed · 7.3 Vendor: VulnCheck
Share

Severity by source

Sources disagree (Low–High)
Vendor (VulnCheck) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.1 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.8 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 20, 2026 - 13:31 vuln.today
Analysis Generated
May 20, 2026 - 13:31 vuln.today
CVSS changed
May 20, 2026 - 13:22 NVD
7.0 (HIGH) 7.3 (HIGH)

DescriptionCVE.org

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

AnalysisAI

Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. No public exploit identified at time of analysis, but the upstream patch in release 3.4.3 and a detailed VulnCheck advisory disclose the precise race window.

Technical ContextAI

Rsync is a widely deployed file-synchronization daemon written in C. The flaw is a classic CWE-367 time-of-check to time-of-use race on parent path components handled by the daemon's receiver process. Per the upstream NEWS entry, the helper secure_relative_open() - originally introduced in 3.4.0 to address CVE-2024-12086 - was not invoked on the daemon-no-chroot code path, leaving path resolution susceptible to interleaved symlink replacement. CPE cpe:2.3:a:rsyncproject:rsync:*:*:*:*:*:*:*:* covers all rsync builds from the upstream RsyncProject prior to 3.4.3, including embedded uses in Linux distributions and storage appliances.

RemediationAI

Vendor-released patch: rsync 3.4.3 - upgrade all daemon hosts to this version (https://github.com/RsyncProject/rsync/releases/tag/v3.4.3), which routes daemon-no-chroot path opens through the existing secure_relative_open() helper. If immediate upgrade is not possible, the most effective workaround is to set 'use chroot = yes' for every module in rsyncd.conf, which fully avoids the vulnerable code path; the trade-off is that chroot requires the daemon to run as root to chroot() and constrains module path semantics (no following symlinks out of the module root, restricted UID/GID lookups). As a secondary mitigation, restrict module write access - including 'auth users' lists and 'hosts allow' rules - so untrusted local or network principals cannot stage the racing symlink. Also pull in the same 3.4.3 release to get sibling fixes (CVE-2026-43617 through CVE-2026-45232), since the upstream advisory notes related issues that landed together.

More in Rsync

View all
CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

CVE-2024-12084 CRITICAL POC
9.8 Jan 15

A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2014-9512 MEDIUM POC
6.4 Feb 12

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization pa

CVE-2024-12087 HIGH POC
7.5 Jan 14

Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i

CVE-2022-29154 HIGH POC
7.4 Aug 02

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the d

CVE-2014-2855 HIGH
7.8 Apr 23

The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of serv

CVE-2024-12086 MEDIUM POC
6.8 Jan 14

A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authenticati

CVE-2017-16548 CRITICAL
9.8 Nov 06

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character

CVE-2017-17434 CRITICAL
9.8 Dec 06

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_

CVE-2017-15994 CRITICAL
9.8 Oct 29

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to by

CVE-2024-12088 HIGH
7.5 Jan 14

Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious

CVE-2026-41035 HIGH
7.8 Apr 16

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync w

Vendor StatusVendor

SUSE

Severity: Low
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP7-HPC-BYOS-Azure Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed

Share

EUVD-2026-31100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy