https://feed.craftedsignal.io/vendors/rsync/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 20 May 2026 13:17:51 +0000https://feed.craftedsignal.io/briefs/2026-05-rsync-toctou/Wed, 20 May 2026 13:17:51 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-rsync-toctou/Rsync versions before 3.4.3 are vulnerable to a TOCTOU race condition allowing attackers with write access to a module path to redirect file writes outside intended directories by replacing parent directory components with symbolic links, potentially leading to privilege escalation when the daemon runs with elevated privileges and chroot is disabled.Rsync before version 3.4.3 is susceptible to a time-of-check to time-of-use (TOCTOU) race condition in how the daemon handles files. This vulnerability allows an attacker with write access to a Rsync module path to manipulate file writes. By replacing parent directory components with symbolic links, an attacker can redirect file writes to locations outside of the intended directories. The vulnerability is triggered when the chroot setting is false. This can lead to arbitrary file creation or overwriting, and potentially escalate privileges if the Rsync daemon runs with elevated permissions. This vulnerability was published in May 2026 and is identified as CVE-2026-29518.

Attack Chain

1. Attacker gains write access to a Rsync module path, either through compromised credentials or misconfiguration.
2. Attacker identifies a target file or location outside of the intended module path.
3. Attacker crafts a malicious directory structure within the Rsync module path, replacing parent directories with symbolic links pointing to attacker-controlled locations.
4. Attacker initiates a file transfer operation using Rsync, targeting a file within the crafted malicious directory structure.
5. Rsync daemon performs initial checks on the directory structure.
6. Between the check and the actual file write, the attacker modifies the symbolic links to redirect the write operation to the target file or location outside of the Rsync module path.
7. Rsync daemon writes the file to the attacker-specified location, bypassing intended access controls.
8. If the attacker overwrites sensitive system files, this can lead to privilege escalation.

Impact

Successful exploitation of this vulnerability allows attackers to create or overwrite arbitrary files on the system, potentially leading to privilege escalation if the Rsync daemon is running with elevated privileges. If the attacker overwrites critical system binaries or configuration files, they can gain complete control of the system. The impact is limited to systems where the chroot setting is false.

Recommendation

• Upgrade Rsync to version 3.4.3 or later to patch CVE-2026-29518.
• Apply the “Detect Rsync TOCTOU Attempt via Symlink Creation” and “Detect Rsync TOCTOU Attempt via File Modification” Sigma rules to identify potential exploitation attempts.
• Ensure the chroot setting is enabled in Rsync configurations to mitigate the vulnerability.

]]>highadvisoryprivilege-escalationtoctoursynchttps://feed.craftedsignal.io/briefs/2026-05-rsync-integer-overflow/Wed, 20 May 2026 02:18:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-rsync-integer-overflow/Rsync versions 3.4.2 and prior contain an integer overflow vulnerability (CVE-2026-43618) in the compressed-token decoder, allowing a malicious sender to trigger out-of-bounds memory access on the receiver and disclose sensitive process memory.Rsync, a widely used utility for synchronizing files between computer systems, is susceptible to an integer overflow vulnerability (CVE-2026-43618) within its compressed-token decoder. Specifically, versions 3.4.2 and earlier fail to adequately validate a 32-bit signed counter, leading to an overflow condition. A malicious rsync sender can exploit this flaw by crafting a specially designed data stream that triggers the overflow during decompression on the receiving end. This overflow can cause the receiver process to read data outside of the intended buffer boundaries. Successful exploitation results in the disclosure of sensitive process memory contents.

Attack Chain

1. Attacker crafts a malicious data stream designed to exploit the integer overflow in the rsync compressed-token decoder.
2. The attacker initiates an rsync session with a vulnerable rsync server (version 3.4.2 or prior).
3. During data transfer, the malicious data stream is sent to the rsync server.
4. The rsync server attempts to decompress the data stream using the vulnerable compressed-token decoder.
5. The 32-bit signed counter overflows due to the crafted data stream.
6. The overflow causes the rsync server process to read data from memory locations outside the intended buffer.
7. Sensitive information, such as environment variables, passwords, heap data, stack data, and library memory pointers, are exposed.
8. The attacker gains access to the disclosed memory contents, potentially facilitating further exploitation and bypassing ASLR.

Impact

Successful exploitation of CVE-2026-43618 leads to information disclosure on the affected system. An attacker can potentially access sensitive data residing in the rsync process memory, including environment variables, passwords, and memory addresses. This leaked information can be leveraged to bypass ASLR, escalate privileges, and perform lateral movement within the network. The vulnerability poses a significant risk to the confidentiality and integrity of the affected systems.

Recommendation

• Upgrade rsync to a version higher than 3.4.2 to patch CVE-2026-43618.
• Deploy the Sigma rule Detect Rsync CVE-2026-43618 Integer Overflow Attempt to detect potential exploitation attempts by monitoring process command-line arguments.
• Review systems running vulnerable rsync versions for suspicious network connections and memory access patterns.

]]>highadvisoryinteger overflowinformation disclosurersync