CVE-2026-43619
Analyzed Analyzed - Analysis Complete
Symlink Race Condition in Rsync

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: VulnCheck

Description
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-43619
EUVD
EUVD-2026-31010
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samba rsync to 3.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43619 is a symlink race condition vulnerability found in rsync versions 3.4.2 and earlier. It affects various path-based system calls such as chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat. The vulnerability allows a local attacker with filesystem access to exploit a timing window between path resolution and the execution of these system calls. By swapping symbolic links during this window, the attacker can redirect operations to files outside the intended rsync module, potentially modifying permissions, ownership, timestamps, or filenames on arbitrary files. This issue occurs specifically when rsync daemons are configured with 'use chroot = no'. The root cause involves time-of-check to time-of-use (TOCTOU) race conditions and improper link resolution.

Impact Analysis

This vulnerability can lead to unauthorized modification of files outside the intended rsync module boundary. An attacker with local filesystem access can change file permissions, ownership, timestamps, or filenames on arbitrary files by exploiting the race condition. This can result in high confidentiality and integrity loss, as sensitive files might be altered or exposed without authorization. However, there is no direct impact on system availability.

Detection Guidance

This vulnerability involves a symlink race condition in rsync versions prior to 3.4.3 affecting various path-based system calls. Detection involves checking if your system is running a vulnerable rsync version and if the rsync daemon is configured with 'use chroot = no'.

To detect the vulnerability on your system, first verify the rsync version by running the command:

  • rsync --version

If the version is 3.4.2 or earlier, your system is vulnerable. Next, check the rsync daemon configuration file (commonly /etc/rsyncd.conf) for the 'use chroot' setting:

  • grep '^use chroot' /etc/rsyncd.conf

If 'use chroot' is set to 'no', the system is susceptible to this vulnerability.

Additionally, monitoring for suspicious symlink activity or unexpected changes in file permissions, ownership, or timestamps outside the intended rsync module boundaries may help detect exploitation attempts, though no specific detection commands are provided.

Mitigation Strategies

To mitigate this vulnerability, the primary step is to upgrade rsync to version 3.4.3 or later, where the issue has been patched.

If upgrading immediately is not possible, ensure that the rsync daemon is configured with the default setting 'use chroot = yes', which prevents the vulnerability by restricting file operations within a chroot jail.

Limiting local filesystem access to trusted users can also reduce the risk, as exploitation requires local attacker access.

Compliance Impact

CVE-2026-43619 allows local attackers to modify permissions, ownership, timestamps, or filenames on arbitrary files outside the intended rsync module boundary. This can lead to unauthorized access or modification of sensitive data.

Such unauthorized modifications and potential data integrity and confidentiality breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access and integrity.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43619. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart