CVE-2026-29518 Overview
CVE-2026-29518 is a time-of-check to time-of-use (TOCTOU) race condition in Rsync versions before 3.4.3. The flaw resides in daemon file handling, where attackers with write access to a module path can replace parent directory components with symbolic links. This redirects file writes outside intended directories, enabling arbitrary file creation or overwrite. When the Rsync daemon runs with elevated privileges and chroot is disabled, exploitation can lead to privilege escalation through modification of sensitive system files. The vulnerability is tracked under CWE-367 and only triggers when the daemon chroot setting is false.
Critical Impact
Authenticated attackers with module write access can overwrite arbitrary files on the Rsync daemon host, achieving privilege escalation when the daemon runs as root.
Affected Products
- Rsync versions prior to 3.4.3
- Rsync daemon deployments configured with chroot = false
- Systems exposing Rsync modules with write access to untrusted users
Discovery Timeline
- 2026-05-20 - CVE-2026-29518 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-29518
Vulnerability Analysis
The vulnerability arises from a window between path validation and file write operations in the Rsync daemon. Rsync checks whether a target path is safe, then performs the file write as a separate step. An attacker who can write to a module path can race this sequence by inserting a symbolic link in place of a legitimate parent directory component. The daemon follows the link during the write phase and places file contents at attacker-chosen locations.
Because the daemon often runs with elevated privileges, attacker-controlled writes can target sensitive locations such as /etc/cron.d/, /root/.ssh/authorized_keys, or shared library paths. The result is arbitrary file write that escalates to code execution or privilege escalation. The attack is constrained to deployments where the daemon chroot directive is set to false, which removes the filesystem isolation that would otherwise contain symlink resolution.
Root Cause
The root cause is non-atomic file operations in the Rsync daemon path handling logic. Validation and write operations are not protected against intermediate filesystem changes, leaving a TOCTOU window. Detailed patch context is available in the GitHub Pull Request changes.
Attack Vector
Exploitation requires local or authenticated network access to an Rsync module with write permission. The attacker uploads files while concurrently swapping parent directory components for symbolic links pointing outside the module root. When the daemon resolves the path during the write phase, the link is followed and the file lands at the attacker-chosen target. The VulnCheck advisory provides additional exploitation context.
Detection Methods for CVE-2026-29518
Indicators of Compromise
- Unexpected symbolic links inside Rsync module directories pointing to system paths such as /etc/, /root/, or /usr/lib/.
- Modifications to sensitive files (authorized_keys, cron files, PAM configuration) with timestamps aligned to Rsync daemon activity.
- Rsync daemon log entries showing repeated transfers from the same client targeting paths with directory components that change between requests.
Detection Strategies
- Monitor rsyncd process file write activity for operations resolving outside configured module roots.
- Audit Rsync daemon configurations across the environment for entries where chroot = false is combined with writable modules.
- Correlate filesystem auditd events for symlink syscalls originating from rsync daemon child processes with subsequent writes to sensitive paths.
Monitoring Recommendations
- Enable verbose Rsync daemon logging and forward logs to a centralized analytics platform for path-based anomaly detection.
- Alert on creation of symbolic links inside any directory exposed by rsyncd.conf modules.
- Track file integrity on system-critical paths (/etc/, /root/.ssh/, /var/spool/cron/) to detect unauthorized writes.
How to Mitigate CVE-2026-29518
Immediate Actions Required
- Upgrade Rsync to version 3.4.3 or later on all daemon hosts. Refer to the GitHub Release v3.4.3 for binaries and source.
- Audit all rsyncd.conf files and set chroot = true for any module exposing writable paths.
- Restrict write access on Rsync modules to trusted, authenticated users only.
Patch Information
The Rsync project addressed CVE-2026-29518 in release 3.4.3. The patch modifies daemon file handling to eliminate the TOCTOU window during path resolution and file write. Patch details and code changes are documented in Rsync pull request #895.
Workarounds
- Set chroot = true in rsyncd.conf for every module to confine daemon file operations within the module root.
- Set affected modules to read only = true until patching is complete, preventing the write access required for exploitation.
- Run the Rsync daemon under an unprivileged service account using uid and gid directives to reduce the impact of arbitrary writes.
# Configuration example - hardened rsyncd.conf
uid = nobody
gid = nogroup
use chroot = true
[backup]
path = /srv/rsync/backup
read only = true
list = yes
auth users = backupuser
secrets file = /etc/rsyncd.secrets
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
