CVE-2026-29518
7.0 HIGHRsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers ...
Published: 2026-05-20 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 7.0 HIGH
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-367
Affected products
| Vendor | Product |
|---|---|
| samba | rsync |
Description
Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-29518
- [Patch]https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d
- [Other]https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
- [Other]https://michael.stapelberg.ch/posts/2026-05-24-minimal-memory-safe-go-rsync-vulns/
- [Other]https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write
Related CVEs
Same vendor
- CVE-2026-4408 — A flaw was found in Samba (9.0 CRITICAL)
- CVE-2026-2340 — A flaw was found in Samba’s vfs_worm module (6.5 MEDIUM)
- CVE-2026-1933 — A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes (7.1 HIGH)
- CVE-2026-3012 — A flaw was found in Samba’s certificate auto-enrollment Group Policy handling (8.0 HIGH)
- CVE-2026-4480 — A flaw was found in the Samba printing subsystem (9.0 CRITICAL)
Same CWE
- CVE-2026-54228 — A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method (7.8 HIGH)
- CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
- CVE-2026-53831 — OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expan... (8.3 HIGH)
- CVE-2026-53822 — OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution (8.8 HIGH)
- CVE-2026-54055 — Kitty is a cross-platform GPU based terminal (5.0 MEDIUM)