CVE-2026-43619

EUVD-2026-31010
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
sambarsync
𝑥
≤ 3.4.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rsync
bookworm
vulnerable
bookworm (security)
3.2.7-1+deb12u5
fixed
bullseye
vulnerable
bullseye (security)
3.2.3-4+deb11u4
fixed
forky
3.4.4+ds1-1
fixed
sid
3.4.4+ds1-1
fixed
trixie
vulnerable
trixie (security)
3.4.1+ds1-5+deb13u3
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
rsync
Azure Linux 3.0
0:3.4.3-1.azl3
fixed