CVE-2026-29518

NameCVE-2026-29518
DescriptionRsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4591-1, DSA-6282-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rsync (PTS)bullseye3.2.3-4+deb11u1vulnerable
bullseye (security)3.2.3-4+deb11u4fixed
bookworm3.2.7-1+deb12u4vulnerable
bookworm (security)3.2.7-1+deb12u5fixed
trixie3.4.1+ds1-5+deb13u2vulnerable
trixie (security)3.4.1+ds1-5+deb13u3fixed
forky, sid3.4.3+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rsyncsourcebullseye3.2.3-4+deb11u4DLA-4591-1
rsyncsourcebookworm3.2.7-1+deb12u5DSA-6282-1
rsyncsourcetrixie3.4.1+ds1-5+deb13u3DSA-6282-1
rsyncsource(unstable)3.4.3+ds1-1

Notes

https://download.samba.org/pub/rsync/NEWS#3.4.3
https://www.openwall.com/lists/oss-security/2026/05/20/6
Search for package or bug name: Reporting problems