CVE-2026-29518 HIGH

CVE-2026-29518: Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write

Vendor Rsyncproject
Product rsync
Weakness CWE-367
Published May 20, 2026
Last update June 30, 2026

CVSS base score

7.3/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

Key dates

02Disclosure timeline

May 20, 2026 CVE published
June 30, 2026 Record updated