CVE-2026-29518 RsyncProject CVE debrief

Who should care

Administrators and security teams running rsync daemon deployments, especially any setup that allows write access to a module path and does not use chroot. Systems where the daemon runs with elevated privileges should be treated as higher risk.

Technical summary

The corpus describes a TOCTOU race in rsync daemon file handling. Because path validation and file-use are separated, an attacker who can write to a module path may replace parent directory components with symbolic links between check and use, redirecting writes to attacker-chosen locations outside the intended tree. The issue is identified with CWE-367 and is limited to configurations where chroot is false. The linked upstream release is v3.4.3, which is the referenced fixed version in the corpus.

Defensive priority

High

Recommended defensive actions

• Upgrade rsync to 3.4.3 or later.
• If feasible, run the daemon with chroot enabled; the reported issue only triggers when chroot is false.
• Review rsync module permissions and remove write access where not strictly required.
• Run the daemon with the least privilege practical for the deployment.
• Audit systems for unexpected file writes or configuration changes in locations writable through rsync modules.

Evidence notes

The supplied corpus includes an NVD record for CVE-2026-29518 marked 'Undergoing Analysis' and a CWE-367 classification. Reference links point to a Vulncheck advisory, a GitHub rsync pull request/changeset, and the rsync v3.4.3 release tag. The CVE timing used here follows the provided publishedAt/modifiedAt fields on 2026-05-20. The corpus metadata is inconsistent about vendor naming: it lists 'Unknown Vendor' while the linked references clearly point to RsyncProject/rsync.

Official resources