VDB
CVE-2026-29518
CVE-2026-29518
PUBLISHED
CVSS 7.300000190734863 HIGH
Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
EPSS 0.01% · 0.9th percentile
Risk Scores
CVSS v4.0
7.300000190734863
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.01%
0.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| RsyncProject | rsync | 0 |
Timeline
- May 20, 2026 PoC Published
- May 20, 2026 PoC Published
- May 20, 2026 CVE Published
- May 20, 2026 PoC Published
- May 21, 2026 EPSS Score
- May 21, 2026 Coalition ESS Score
- May 21, 2026 Security Advisory
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d issue
- https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 url
- https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-29518 advisory