{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/rsync--3.4.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-29518"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rsync (\u003c 3.4.3)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","toctou","rsync"],"_cs_type":"advisory","_cs_vendors":["rsync"],"content_html":"\u003cp\u003eRsync before version 3.4.3 is susceptible to a time-of-check to time-of-use (TOCTOU) race condition in how the daemon handles files. This vulnerability allows an attacker with write access to a Rsync module path to manipulate file writes. By replacing parent directory components with symbolic links, an attacker can redirect file writes to locations outside of the intended directories. The vulnerability is triggered when the chroot setting is false. This can lead to arbitrary file creation or overwriting, and potentially escalate privileges if the Rsync daemon runs with elevated permissions. This vulnerability was published in May 2026 and is identified as CVE-2026-29518.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains write access to a Rsync module path, either through compromised credentials or misconfiguration.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a target file or location outside of the intended module path.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious directory structure within the Rsync module path, replacing parent directories with symbolic links pointing to attacker-controlled locations.\u003c/li\u003e\n\u003cli\u003eAttacker initiates a file transfer operation using Rsync, targeting a file within the crafted malicious directory structure.\u003c/li\u003e\n\u003cli\u003eRsync daemon performs initial checks on the directory structure.\u003c/li\u003e\n\u003cli\u003eBetween the check and the actual file write, the attacker modifies the symbolic links to redirect the write operation to the target file or location outside of the Rsync module path.\u003c/li\u003e\n\u003cli\u003eRsync daemon writes the file to the attacker-specified location, bypassing intended access controls.\u003c/li\u003e\n\u003cli\u003eIf the attacker overwrites sensitive system files, this can lead to privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to create or overwrite arbitrary files on the system, potentially leading to privilege escalation if the Rsync daemon is running with elevated privileges. If the attacker overwrites critical system binaries or configuration files, they can gain complete control of the system. The impact is limited to systems where the chroot setting is false.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rsync to version 3.4.3 or later to patch CVE-2026-29518.\u003c/li\u003e\n\u003cli\u003eApply the \u0026ldquo;Detect Rsync TOCTOU Attempt via Symlink Creation\u0026rdquo; and \u0026ldquo;Detect Rsync TOCTOU Attempt via File Modification\u0026rdquo; Sigma rules to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnsure the chroot setting is enabled in Rsync configurations to mitigate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T13:17:51Z","date_published":"2026-05-20T13:17:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-rsync-toctou/","summary":"Rsync versions before 3.4.3 are vulnerable to a TOCTOU race condition allowing attackers with write access to a module path to redirect file writes outside intended directories by replacing parent directory components with symbolic links, potentially leading to privilege escalation when the daemon runs with elevated privileges and chroot is disabled.","title":"Rsync TOCTOU Vulnerability Allows File Write Redirection","url":"https://feed.craftedsignal.io/briefs/2026-05-rsync-toctou/"}],"language":"en","title":"CraftedSignal Threat Feed — Rsync (\u003c 3.4.3)","version":"https://jsonfeed.org/version/1.1"}