CVE-2026-29518

EUVD-2026-31100
Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
TOCTOU
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
sambarsync
𝑥
< 3.4.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rsync
bookworm
vulnerable
bookworm (security)
3.2.7-1+deb12u5
fixed
bullseye
vulnerable
bullseye (security)
3.2.3-4+deb11u4
fixed
forky
3.4.4+ds1-1
fixed
sid
3.4.4+ds1-1
fixed
trixie
vulnerable
trixie (security)
3.4.1+ds1-5+deb13u3
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
rsync
RHEL 8
0:3.1.3-27.el8_10
fixed
RHEL 9
0:3.2.5-7.el9_8.2
fixed
rsync-daemon
RHEL 8
0:3.1.3-27.el8_10
fixed
RHEL 9
0:3.2.5-7.el9_8.2
fixed
rsync-rrsync
RHEL 9
0:3.2.5-7.el9_8.2
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
rsync
Azure Linux 3.0
0:3.4.3-1.azl3
fixed