CVE-2026-43619 HIGH

CVE-2026-43619: Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls

Vendor Rsyncproject
Product rsync
Weakness CWE-367
Published May 20, 2026
Last update May 20, 2026

CVSS base score

7.2/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

Key dates

02Disclosure timeline

May 20, 2026 CVE published
May 20, 2026 Record updated