CVE-2026-43619

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3	Release Notes
https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735	Vendor Advisory
https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*

History

21 May 2026, 20:42

Type	Values Removed	Values Added
CPE		cpe:2.3:a:samba:rsync::::::::
First Time		Samba Samba rsync
References	~~() https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 -~~	() https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 - Release Notes
References	~~() https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735 -~~	() https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls -~~	() https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls - Third Party Advisory

20 May 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-20 02:16

Updated : 2026-05-21 20:42

NVD link : CVE-2026-43619

Mitre link : CVE-2026-43619

CVE.ORG link : CVE-2026-43619

JSON object : View

Products Affected

samba

rsync

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2026-43619", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.0}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-20T02:16:36.577", "references": [{"url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735", "tags": ["Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "Rsync version\u00a03.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'."}], "lastModified": "2026-05-21T20:42:47.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC81F4B6-4EC5-433C-9709-E4B9E340C65A", "versionEndIncluding": "3.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}