CVE-2026-29518 affects rsync versions before 3.4.3. The issue is a time-of-check to time-of-use race in daemon file handling that can let an attacker redirect writes outside the intended directory by swapping parent path components with symbolic links. In the conditions described, an attacker with write access to a module path could create or overwrite arbitrary files, which may lead to sensitive file mod [truncated]
CVE-2026-43618 affects Rsync 3.4.2 and prior. A signed 32-bit counter in the compressed-token decoder is not checked for overflow, which can let a malicious sender cause the receiver to read and return data outside the intended buffer. The practical impact is information disclosure from process memory, including secrets and memory pointers that can weaken ASLR.
CVE-2026-43617 is an authorization bypass in rsync daemon deployments that rely on hostname-based access controls while running in chroot. Published on 2026-05-20, the issue affects rsync 3.4.2 and prior. The bug can let a remote attacker influence reverse DNS results for their source IP and bypass hostname-based deny rules that were expected to block the connection. The vendor advisory and release notes [truncated]
