{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/rsync/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-29518"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rsync (\u003c 3.4.3)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","toctou","rsync"],"_cs_type":"advisory","_cs_vendors":["rsync"],"content_html":"\u003cp\u003eRsync before version 3.4.3 is susceptible to a time-of-check to time-of-use (TOCTOU) race condition in how the daemon handles files. This vulnerability allows an attacker with write access to a Rsync module path to manipulate file writes. By replacing parent directory components with symbolic links, an attacker can redirect file writes to locations outside of the intended directories. The vulnerability is triggered when the chroot setting is false. This can lead to arbitrary file creation or overwriting, and potentially escalate privileges if the Rsync daemon runs with elevated permissions. This vulnerability was published in May 2026 and is identified as CVE-2026-29518.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains write access to a Rsync module path, either through compromised credentials or misconfiguration.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a target file or location outside of the intended module path.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious directory structure within the Rsync module path, replacing parent directories with symbolic links pointing to attacker-controlled locations.\u003c/li\u003e\n\u003cli\u003eAttacker initiates a file transfer operation using Rsync, targeting a file within the crafted malicious directory structure.\u003c/li\u003e\n\u003cli\u003eRsync daemon performs initial checks on the directory structure.\u003c/li\u003e\n\u003cli\u003eBetween the check and the actual file write, the attacker modifies the symbolic links to redirect the write operation to the target file or location outside of the Rsync module path.\u003c/li\u003e\n\u003cli\u003eRsync daemon writes the file to the attacker-specified location, bypassing intended access controls.\u003c/li\u003e\n\u003cli\u003eIf the attacker overwrites sensitive system files, this can lead to privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to create or overwrite arbitrary files on the system, potentially leading to privilege escalation if the Rsync daemon is running with elevated privileges. If the attacker overwrites critical system binaries or configuration files, they can gain complete control of the system. The impact is limited to systems where the chroot setting is false.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rsync to version 3.4.3 or later to patch CVE-2026-29518.\u003c/li\u003e\n\u003cli\u003eApply the \u0026ldquo;Detect Rsync TOCTOU Attempt via Symlink Creation\u0026rdquo; and \u0026ldquo;Detect Rsync TOCTOU Attempt via File Modification\u0026rdquo; Sigma rules to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnsure the chroot setting is enabled in Rsync configurations to mitigate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T13:17:51Z","date_published":"2026-05-20T13:17:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-rsync-toctou/","summary":"Rsync versions before 3.4.3 are vulnerable to a TOCTOU race condition allowing attackers with write access to a module path to redirect file writes outside intended directories by replacing parent directory components with symbolic links, potentially leading to privilege escalation when the daemon runs with elevated privileges and chroot is disabled.","title":"Rsync TOCTOU Vulnerability Allows File Write Redirection","url":"https://feed.craftedsignal.io/briefs/2026-05-rsync-toctou/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-43618"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rsync \u003c= 3.4.2"],"_cs_severities":["high"],"_cs_tags":["integer overflow","information disclosure","rsync"],"_cs_type":"advisory","_cs_vendors":["rsync"],"content_html":"\u003cp\u003eRsync, a widely used utility for synchronizing files between computer systems, is susceptible to an integer overflow vulnerability (CVE-2026-43618) within its compressed-token decoder. Specifically, versions 3.4.2 and earlier fail to adequately validate a 32-bit signed counter, leading to an overflow condition. A malicious rsync sender can exploit this flaw by crafting a specially designed data stream that triggers the overflow during decompression on the receiving end. This overflow can cause the receiver process to read data outside of the intended buffer boundaries. Successful exploitation results in the disclosure of sensitive process memory contents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious data stream designed to exploit the integer overflow in the rsync compressed-token decoder.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an rsync session with a vulnerable rsync server (version 3.4.2 or prior).\u003c/li\u003e\n\u003cli\u003eDuring data transfer, the malicious data stream is sent to the rsync server.\u003c/li\u003e\n\u003cli\u003eThe rsync server attempts to decompress the data stream using the vulnerable compressed-token decoder.\u003c/li\u003e\n\u003cli\u003eThe 32-bit signed counter overflows due to the crafted data stream.\u003c/li\u003e\n\u003cli\u003eThe overflow causes the rsync server process to read data from memory locations outside the intended buffer.\u003c/li\u003e\n\u003cli\u003eSensitive information, such as environment variables, passwords, heap data, stack data, and library memory pointers, are exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the disclosed memory contents, potentially facilitating further exploitation and bypassing ASLR.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-43618 leads to information disclosure on the affected system. An attacker can potentially access sensitive data residing in the rsync process memory, including environment variables, passwords, and memory addresses. This leaked information can be leveraged to bypass ASLR, escalate privileges, and perform lateral movement within the network. The vulnerability poses a significant risk to the confidentiality and integrity of the affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade rsync to a version higher than 3.4.2 to patch CVE-2026-43618.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Rsync CVE-2026-43618 Integer Overflow Attempt\u003c/code\u003e to detect potential exploitation attempts by monitoring process command-line arguments.\u003c/li\u003e\n\u003cli\u003eReview systems running vulnerable rsync versions for suspicious network connections and memory access patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T02:18:47Z","date_published":"2026-05-20T02:18:47Z","id":"https://feed.craftedsignal.io/briefs/2026-05-rsync-integer-overflow/","summary":"Rsync versions 3.4.2 and prior contain an integer overflow vulnerability (CVE-2026-43618) in the compressed-token decoder, allowing a malicious sender to trigger out-of-bounds memory access on the receiver and disclose sensitive process memory.","title":"Rsync Integer Overflow Vulnerability Leading to Information Disclosure (CVE-2026-43618)","url":"https://feed.craftedsignal.io/briefs/2026-05-rsync-integer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Rsync","version":"https://jsonfeed.org/version/1.1"}