CVE-2026-43619
Description
Rsync versionΒ 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β if you've already worked around this in production β publish your fix to the community-verified tier.
β Propose a mitigation on Community β Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 3.2.7-1+deb12u5 |
| debian | bullseye | fixed | 3.2.3-4+deb11u4 |
| debian | forky | fixed | 3.4.3+ds1-1 |
| debian | sid | fixed | 3.4.3+ds1-1 |
| debian | trixie | fixed | 3.4.1+ds1-5+deb13u3 |
| windows | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| samba | rsync | {"endIncluding":"3.4.2"} | |
References
- https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
- https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735
- https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls
- https://www.suse.com/security/cve/CVE-2026-43619.html
- https://security-tracker.debian.org/tracker/CVE-2026-43619
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43619
CWEs
CWE-59 CWE-367
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.