CVE-2026-43619: Time-of-check Time-of-use (TOCTOU) Race Condition in RsyncProject rsync
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
AI Analysis
Technical Summary
CVE-2026-43619 is a high-severity vulnerability affecting rsync versions up to 3.4.2. It is a TOCTOU race condition involving symlink handling in path-based system calls such as chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat. Local attackers with filesystem access can exploit the timing window between path resolution and syscall execution to redirect operations outside the exported rsync module, potentially modifying arbitrary files when the rsync daemon is configured without chroot isolation ('use chroot = no'). The CVSS 4.0 score is 7.2, reflecting high impact with local attack vector, high complexity, and partial privileges required.
Potential Impact
Successful exploitation allows a local attacker to modify files outside the intended rsync module boundary by redirecting file operations through symlink swapping. This can lead to unauthorized changes in file permissions, ownership, timestamps, or filenames on the target system. The vulnerability affects rsync daemons configured without chroot isolation, increasing the risk of unauthorized file system modifications.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to configure rsync daemons with 'use chroot = yes' to isolate the file system and mitigate the risk of this race condition. Avoid running rsync daemons with elevated privileges and restrict local filesystem access to trusted users only.
CVE-2026-43619: Time-of-check Time-of-use (TOCTOU) Race Condition in RsyncProject rsync
Description
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-43619 is a high-severity vulnerability affecting rsync versions up to 3.4.2. It is a TOCTOU race condition involving symlink handling in path-based system calls such as chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat. Local attackers with filesystem access can exploit the timing window between path resolution and syscall execution to redirect operations outside the exported rsync module, potentially modifying arbitrary files when the rsync daemon is configured without chroot isolation ('use chroot = no'). The CVSS 4.0 score is 7.2, reflecting high impact with local attack vector, high complexity, and partial privileges required.
Potential Impact
Successful exploitation allows a local attacker to modify files outside the intended rsync module boundary by redirecting file operations through symlink swapping. This can lead to unauthorized changes in file permissions, ownership, timestamps, or filenames on the target system. The vulnerability affects rsync daemons configured without chroot isolation, increasing the risk of unauthorized file system modifications.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to configure rsync daemons with 'use chroot = yes' to isolate the file system and mitigate the risk of this race condition. Avoid running rsync daemons with elevated privileges and restrict local filesystem access to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-01T18:22:45.639Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d0f6cba1db473621796df
Added to database: 5/20/2026, 1:33:32 AM
Last enriched: 5/20/2026, 1:48:33 AM
Last updated: 5/20/2026, 3:20:19 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.