CVE Vulnerabilities

CVE-2026-43619

Improper Link Resolution Before File Access ('Link Following')

Published: May 20, 2026 | Modified: May 21, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.3 MODERATE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Rsync versionĀ 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with use chroot = no.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

NameVendorStart VersionEnd Version
RsyncSamba*3.4.2 (including)
RsyncUbuntudevel*
RsyncUbuntuesm-infra-legacy/trusty*
RsyncUbuntuesm-infra-legacy/xenial*
RsyncUbuntuesm-infra/bionic*
RsyncUbuntuesm-infra/focal*
RsyncUbuntuesm-infra/xenial*
RsyncUbuntujammy*
RsyncUbuntunoble*
RsyncUbuntuquesting*
RsyncUbunturesolute*
RsyncUbuntuupstream*

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References