CVE-2026-43619
6.3 MEDIUMRsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, ...
Published: 2026-05-20 · Last updated: 2026-05-21
Severity and scoring
- CVSS
- 6.3 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-367, CWE-59
Affected products
| Vendor | Product |
|---|---|
| samba | rsync |
Description
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-43619
- [Other]https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
- [Vendor advisory]https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735
- [Other]https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls
Related CVEs
Same vendor
- CVE-2026-4408 — A flaw was found in Samba (9.0 CRITICAL)
- CVE-2026-2340 — A flaw was found in Samba’s vfs_worm module (6.5 MEDIUM)
- CVE-2026-1933 — A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes (7.1 HIGH)
- CVE-2026-3012 — A flaw was found in Samba’s certificate auto-enrollment Group Policy handling (8.0 HIGH)
- CVE-2026-4480 — A flaw was found in the Samba printing subsystem (9.0 CRITICAL)
Same CWE
- CVE-2026-50656 — Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as ... (7.8 HIGH)
- CVE-2026-54230 — A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport (7.0 HIGH)
- CVE-2026-54228 — A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method (7.8 HIGH)
- CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
- CVE-2026-53831 — OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expan... (8.3 HIGH)