7.2

CVE-2026-43619

Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SambaRsync Version <= 3.4.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.033
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
disclosure@vulncheck.com 6.3 1 5.2
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
disclosure@vulncheck.com 7.2 0 0
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
Release Notes
https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735
Vendor Advisory
https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls
Third Party Advisory