CVE-2026-43619

Name of the Vulnerable Software and Affected Versions rsync versions prior to 3.4.3

Description A symlink race condition exists in path-based system calls, including chmod(), lchown(), utimes(), rename(), unlink(), mkdir(), symlink(), mknod(), link(), rmdir(), and lstat(). Local attackers with filesystem access can exploit the timing window between path resolution and system call execution by swapping symlinks. This allows the redirection of operations to files outside the exported rsync module, enabling the application of sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files. This issue affects rsync daemons configured with use chroot = no.

Recommendations Update to version 3.4.3 or later. Configure rsync daemons to use use chroot = yes to prevent access outside the module boundary.