Executive Summary

CVE-2026-29518 is a high severity vulnerability affecting rsync versions before 3.4.3. It is a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling when the chroot setting is disabled (use chroot = no). This race condition allows an attacker with write access to a module path to replace parent directory components with symbolic links between the check and the file open operation. By doing this, the attacker can redirect file writes outside the intended directories, enabling them to create or overwrite arbitrary files.

This can lead to modification of sensitive system files and potentially privilege escalation if the rsync daemon runs with elevated privileges. The vulnerability arises because the daemon does not securely handle file paths in this configuration, allowing the symlink attack to succeed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges.

Such unauthorized modification and potential exposure of sensitive data could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive information and system integrity.

Specifically, if sensitive personal or health data is stored or processed on systems using vulnerable rsync versions without chroot enabled, exploitation of this vulnerability could result in data breaches or unauthorized data manipulation, violating regulatory requirements.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can allow an attacker with write access to a module path to create or overwrite arbitrary files outside the intended directories. This can result in unauthorized modification of sensitive system files.

Such unauthorized file modifications can lead to privilege escalation, especially if the rsync daemon is running with elevated privileges, potentially giving the attacker higher-level access to the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects rsync daemon mode when the configuration option "use chroot = no" is set for a module. Detection involves verifying the rsync version and configuration.

• Check the rsync version installed on your system. Versions before 3.4.3 are vulnerable.
• Inspect the rsync daemon configuration file (usually /etc/rsyncd.conf) for modules with the setting "use chroot = no".
• Example command to check rsync version: `rsync --version`
• Example command to check for chroot setting in rsync daemon config: `grep -i 'use chroot' /etc/rsyncd.conf`

Additionally, monitoring for unexpected symbolic link creations or modifications in module paths with write access could help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediate steps include:

• Upgrade rsync to version 3.4.3 or later, where the vulnerability is fixed.
• Ensure the rsync daemon configuration uses "use chroot = yes" for all modules, as the vulnerability can only be triggered if chroot is disabled.
• Restrict write access to rsync modules to trusted users only to prevent attackers from exploiting the race condition.

Applying these steps will reduce the risk of arbitrary file writes and potential privilege escalation.

Useful 0 Not Useful 0