Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

An update of the rsync package has been released.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8349-1 advisory.

    Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers.
    A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of     service. (CVE-2025-10158)

    Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without     chroot protection were exposed to a race condition on parent path components. A local attacker with write     access to a module could possibly use this issue to overwrite files, obtain sensitive information, or     escalate privileges. (CVE-2026-29518)

    It was discovered that rsync did not properly validate a length value while sorting extended attributes.
    An attacker could possibly use this issue to cause a denial of service. (CVE-2026-41035)

    It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations.
    A remote attacker could possibly use this issue to bypass hostname-based access controls and access     network services. (CVE-2026-43617)

    Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed     tokens. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43618)

    Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system     calls for daemons configured without chroot protection. A local attacker could possibly use this issue to     overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-43619)

    Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A     remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service.
    (CVE-2026-43620)

    Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An     attacker able to intercept network communications or a malicious proxy server could possibly use this     issue to cause a denial of service. (CVE-2026-45232)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2038-1 advisory.

    This update for rsync fixes the following issues


    - CVE-2026-29518: Symlink-Race TOCTOU in Daemon (bsc#1264511).
    - CVE-2026-41035: Count of entries mismatch can lead to a use-after-free (bsc#1262223)
    - CVE-2026-43617: Authorization Bypass via Hostname Resolution (bsc#1264515).
    - CVE-2026-43618: Integer Overflow Information Disclosure (bsc#1264512).
    - CVE-2026-43619: Symlink Race Condition via Path-Based Syscalls (bsc#1264514).
    - CVE-2026-43620: Out-of-Bounds Array Read via recv_files() (bsc#1264513).
    - CVE-2026-45232: Off-by-one stack OOB write in HTTP CONNECT proxy response parsing (bsc#1265296).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ecca89eb-54e6-11f1-bc4a-40b034429ecf advisory.

    The rsync project reports:
    Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA.
                Affected versions are 3.4.2 and earlier in every case.
    In addition to the six CVE fixes, this release adds defence-in-depth                     hardening on several adjacent paths: bounded wire-supplied counts and                     lengths in flist/io/acls/xattrs, a guard against length underflow in                     cumulative snprintf() callers, a parent block-index bounds check on the                     receiver, a NULL check in read_delay_line(), a lower ceiling on                     MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats()                     accumulator, rejection of hyphen-prefixed remote-shell hostnames                     (defence-in-depth against argv-injection in tooling that forwards untrusted                     input into the hostspec position; reported by Aisle Research via Michal                     Ruprich), and a NULL-check on localtime_r() in timestring() to keep a                     malicious server from crashing the client by advertising a file with an                     out-of-range modtime.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8283-1 advisory.

    Calum Hutton discovered that rsync contained a heap-based out-of-bounds read when handling file transfers.
    A remote attacker with read access to an rsync server could possibly use this issue to cause a denial of     service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2025-10158)

    Batuhan Sancak, Damien Neil, and Michael Stapelberg discovered that rsync daemons configured without     chroot protection were exposed to a race condition on parent path components. A local attacker with write     access to a module could possibly use this issue to overwrite files, obtain sensitive information, or     escalate privileges. (CVE-2026-29518)

    It was discovered that rsync did not properly validate a length value while sorting extended attributes.
    An attacker could possibly use this issue to cause a denial of service. (CVE-2026-41035)

    It was discovered that rsync performed reverse-DNS lookups after chrooting in some daemon configurations.
    A remote attacker could possibly use this issue to bypass hostname-based access controls and access     network services. (CVE-2026-43617)

    Omar Elsayed discovered that rsync did not properly check for integer overflows while decoding compressed     tokens. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43618)

    Andrew Tridgell discovered that rsync did not fully fix a symlink race condition in path-based system     calls for daemons configured without chroot protection. A local attacker could possibly use this issue to     overwrite files, obtain sensitive information, or escalate privileges. (CVE-2026-43619)

    Pratham Gupta discovered that rsync did not properly validate an index while processing file lists. A     remote attacker could possibly use this issue to cause rsync to crash, resulting in a denial of service.
    (CVE-2026-43620)

    Michal Ruprich discovered that rsync contained an off-by-one error while handling HTTP proxy responses. An     attacker able to intercept network communications or a malicious proxy server could possibly use this     issue to cause a denial of service. (CVE-2026-45232)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of rsync installed on the remote host is prior to 3.4.3. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2026-141-02 advisory.

    New rsync packages are available for Slackware 15.0 and -current to fix security issues.

Tenable has extracted the preceding description block directly from the rsync security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4591 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4591-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                    Thorsten Alteholz     May 20, 2026                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : rsync     Version        : 3.2.3-4+deb11u4     CVE ID         : CVE-2026-29518 CVE-2026-43617 CVE-2026-43618                      CVE-2026-43619 CVE-2026-43620


    Several vulnerabilities were discovered in rsync, a fast, versatile,     remote (and local) file-copying tool, which may result in local     privilege escalation, bypass of intended access restrictions, remote     memory disclosure to an authenticated daemon peer or denial of service.


    For Debian 11 bullseye, these problems have been fixed in version     3.2.3-4+deb11u4.

    We recommend that you upgrade your rsync packages.

    For the detailed security status of rsync please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/rsync

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-6282 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6282-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     May 20, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : rsync     CVE ID         : CVE-2026-29518 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619                      CVE-2026-43620 CVE-2026-45232

    Several vulnerabilities were discovered in rsync, a fast, versatile,     remote (and local) file-copying tool, which may result in local     privilege escalation, bypass of intended access restrictions, remote     memory disclosure to an authenticated daemon peer or denial of service.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 3.2.7-1+deb12u5.

    For the stable distribution (trixie), these problems have been fixed in     version 3.4.1+ds1-5+deb13u3.

    We recommend that you upgrade your rsync packages.

    For the detailed security status of rsync please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/rsync

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls     including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow     local attackers to redirect operations to files outside the exported rsync module. Attackers with local     filesystem access can exploit the timing window between path resolution and syscall execution by swapping     symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files     outside the intended module boundary on rsync daemons configured with 'use chroot = no'. (CVE-2026-43619)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
321789	Photon OS 5.0: Rsync PHSA-2026-5.0-0885	Nessus	PhotonOS Local Security Checks	high
318271	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS : rsync vulnerabilities (USN-8349-1)	Nessus	Ubuntu Local Security Checks	high
316960	SUSE SLED15 / SLES15 Security Update : rsync (SUSE-SU-2026:2038-1)	Nessus	SuSE Local Security Checks	high
316538	FreeBSD : ner/rsync -- multiple vulnerabilities (ecca89eb-54e6-11f1-bc4a-40b034429ecf)	Nessus	FreeBSD Local Security Checks	high
316077	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : rsync vulnerabilities (USN-8283-1)	Nessus	Ubuntu Local Security Checks	high
316074	Slackware Linux 15.0 / current rsync Multiple Vulnerabilities (SSA:2026-141-02)	Nessus	Slackware Local Security Checks	high
315780	Debian dla-4591 : rsync - security update	Nessus	Debian Local Security Checks	high
315779	Debian dsa-6282 : rsync - security update	Nessus	Debian Local Security Checks	high
315596	Linux Distros Unpatched Vulnerability : CVE-2026-43619	Nessus	Misc.	medium

Detections

Analytics

CVE-2026-43619

high

Tenable Plugins

high

high

high

high

high

high

high

high

medium