Fluid Attacks Database

Description

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1 \|\| =3.4.2+ds1-1 \|\| =3.4.2+ds1-2 \|\| >=0 <3.4.3+ds1-1	3.4.3+ds1-1
alpine v3.20	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.21	rsync	>=0 <3.4.3-r0	3.4.3-r0
debian 11	rsync	=3.2.3-4 \|\| =3.2.3-4+deb11u1 \|\| =3.2.3-4+deb11u2 \|\| =3.2.3-4+deb11u3 \|\| >=0 <3.2.3-4+deb11u4	3.2.3-4+deb11u4
debian 13	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-5+deb13u1 \|\| =3.4.1+ds1-5+deb13u2 \|\| >=0 <3.4.1+ds1-5+deb13u3	3.4.1+ds1-5+deb13u3
debian 12	rsync	=3.2.7-1 \|\| =3.2.7-1+deb12u1 \|\| =3.2.7-1+deb12u2 \|\| =3.2.7-1+deb12u3 \|\| =3.2.7-1+deb12u4 \|\| >=0 <3.2.7-1+deb12u5	3.2.7-1+deb12u5
alpine v3.22	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.23	rsync	>=0 <3.4.3-r0	3.4.3-r0
rpm rhel6	rsync	-	-
rpm rhel7	rsync	-	-

1-10 of 13

Aliases

1. CVE-2026-295182. NVD-2026-295183. OSV-DEBIAN-2026-295184. OSV-2026-295185. OSV-ALPINE-2026-295186. SECURITY-TRACKER-CVE-2026-295187. SECURITY-CVE-2026-29518

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.