PT-2026-42153 · Rsync+3 · Rsync+3
Damien Neil
+2
·
Published
2026-05-20
·
Updated
2026-06-30
·
CVE-2026-29518
CVSS v3.1
7.8
High
| Vector | AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
rsync versions prior to 3.4.3
Description
A time-of-check to time-of-use (TOCTOU) race condition exists in the daemon file handling. This occurs when an rsync daemon is configured with the
chroot setting set to false. A local attacker with write access to a module path can replace a parent directory component with a symbolic link between the time the receiver checks the path and the time it calls the open() function. This allows the attacker to redirect reads and writes outside the intended directories, enabling the disclosure of basis-files or the creation and overwriting of arbitrary files. If the daemon runs with elevated privileges, this can lead to privilege escalation.Recommendations
Update to version 3.4.3 or later.
Ensure the
chroot setting is set to true to prevent this issue.Exploit
Fix
LPE
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Rocky Linux
Ubuntu
Rsync