Vulnerability-Lookup

RHSA-2026:26408

Vulnerability from csaf_redhat - Published: 2026-06-16 17:37 - Updated: 2026-06-17 03:58

Summary

Red Hat Security Advisory: rsync security update

Severity

Important

Notes

Topic: An update for rsync is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fix(es): * rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding (CVE-2026-43618) * rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. (CVE-2026-29518) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-29518

A flaw was found in rsync. An rsync daemon configured with "use chroot = no" is exposed to a time-of-check / time-of-use race on parent path components. A local attacker with write access to a module can replace a parent directory component with a symlink between the receiver's check and its open(), redirecting reads (basis-file disclosure) and writes (file overwrite) outside the module. Under elevated daemon privilege this allows privilege escalation. Default "use chroot = yes" is not exposed. Reach: local attacker on the daemon host, write access to a module path, daemon configured with use chroot = no.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Affected products

Fixed 14 products

Product	Version	Remediation
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-43618

A flaw was found in rsync. An authenticated daemon peer can exploit an integer overflow vulnerability in the compressed-token decoder. By carefully manipulating the compressed-token, a malicious sender can trigger an overflow, leading to remote memory disclosure. This allows an attacker to leak sensitive process memory contents, including environment variables, passwords, and memory pointers, which significantly weakens Address Space Layout Randomization (ASLR) and can facilitate further exploitation.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-190 - Integer Overflow or Wraparound

Affected products

Fixed 14 products

Product	Version	Remediation
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x	—	Vendor Fix fix Workaround
Unresolved product id: BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

13 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:26408	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2469054	external
https://bugzilla.redhat.com/show_bug.cgi?id=2469055	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-29518	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469055	external
https://www.cve.org/CVERecord?id=CVE-2026-29518	external
https://nvd.nist.gov/vuln/detail/CVE-2026-29518	external
https://access.redhat.com/security/cve/CVE-2026-43618	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469054	external
https://www.cve.org/CVERecord?id=CVE-2026-43618	external
https://nvd.nist.gov/vuln/detail/CVE-2026-43618	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for rsync is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.\n\nSecurity Fix(es):\n\n* rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding (CVE-2026-43618)\n\n* rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot. (CVE-2026-29518)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:26408",
        "url": "https://access.redhat.com/errata/RHSA-2026:26408"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2469054",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469054"
      },
      {
        "category": "external",
        "summary": "2469055",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469055"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_26408.json"
      }
    ],
    "title": "Red Hat Security Advisory: rsync security update",
    "tracking": {
      "current_release_date": "2026-06-17T03:58:30+00:00",
      "generator": {
        "date": "2026-06-17T03:58:30+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:26408",
      "initial_release_date": "2026-06-16T17:37:50+00:00",
      "revision_history": [
        {
          "date": "2026-06-16T17:37:50+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-16T17:37:50+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-17T03:58:30+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux BaseOS (v. 8)",
                "product": {
                  "name": "Red Hat Enterprise Linux BaseOS (v. 8)",
                  "product_id": "BaseOS-8.10.0.Z.MAIN.EUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:8::baseos"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rsync-0:3.1.3-27.el8_10.src",
                "product": {
                  "name": "rsync-0:3.1.3-27.el8_10.src",
                  "product_id": "rsync-0:3.1.3-27.el8_10.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync@3.1.3-27.el8_10?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rsync-0:3.1.3-27.el8_10.aarch64",
                "product": {
                  "name": "rsync-0:3.1.3-27.el8_10.aarch64",
                  "product_id": "rsync-0:3.1.3-27.el8_10.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync@3.1.3-27.el8_10?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
                "product": {
                  "name": "rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
                  "product_id": "rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debugsource@3.1.3-27.el8_10?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
                "product": {
                  "name": "rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
                  "product_id": "rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debuginfo@3.1.3-27.el8_10?arch=aarch64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rsync-0:3.1.3-27.el8_10.ppc64le",
                "product": {
                  "name": "rsync-0:3.1.3-27.el8_10.ppc64le",
                  "product_id": "rsync-0:3.1.3-27.el8_10.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync@3.1.3-27.el8_10?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
                "product": {
                  "name": "rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
                  "product_id": "rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debugsource@3.1.3-27.el8_10?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
                "product": {
                  "name": "rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
                  "product_id": "rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debuginfo@3.1.3-27.el8_10?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rsync-0:3.1.3-27.el8_10.x86_64",
                "product": {
                  "name": "rsync-0:3.1.3-27.el8_10.x86_64",
                  "product_id": "rsync-0:3.1.3-27.el8_10.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync@3.1.3-27.el8_10?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debugsource-0:3.1.3-27.el8_10.x86_64",
                "product": {
                  "name": "rsync-debugsource-0:3.1.3-27.el8_10.x86_64",
                  "product_id": "rsync-debugsource-0:3.1.3-27.el8_10.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debugsource@3.1.3-27.el8_10?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
                "product": {
                  "name": "rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
                  "product_id": "rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debuginfo@3.1.3-27.el8_10?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rsync-0:3.1.3-27.el8_10.s390x",
                "product": {
                  "name": "rsync-0:3.1.3-27.el8_10.s390x",
                  "product_id": "rsync-0:3.1.3-27.el8_10.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync@3.1.3-27.el8_10?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debugsource-0:3.1.3-27.el8_10.s390x",
                "product": {
                  "name": "rsync-debugsource-0:3.1.3-27.el8_10.s390x",
                  "product_id": "rsync-debugsource-0:3.1.3-27.el8_10.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debugsource@3.1.3-27.el8_10?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
                "product": {
                  "name": "rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
                  "product_id": "rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-debuginfo@3.1.3-27.el8_10?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rsync-daemon-0:3.1.3-27.el8_10.noarch",
                "product": {
                  "name": "rsync-daemon-0:3.1.3-27.el8_10.noarch",
                  "product_id": "rsync-daemon-0:3.1.3-27.el8_10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/rsync-daemon@3.1.3-27.el8_10?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-0:3.1.3-27.el8_10.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64"
        },
        "product_reference": "rsync-0:3.1.3-27.el8_10.aarch64",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-0:3.1.3-27.el8_10.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le"
        },
        "product_reference": "rsync-0:3.1.3-27.el8_10.ppc64le",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-0:3.1.3-27.el8_10.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x"
        },
        "product_reference": "rsync-0:3.1.3-27.el8_10.s390x",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-0:3.1.3-27.el8_10.src as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src"
        },
        "product_reference": "rsync-0:3.1.3-27.el8_10.src",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-0:3.1.3-27.el8_10.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64"
        },
        "product_reference": "rsync-0:3.1.3-27.el8_10.x86_64",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-daemon-0:3.1.3-27.el8_10.noarch as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch"
        },
        "product_reference": "rsync-daemon-0:3.1.3-27.el8_10.noarch",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debuginfo-0:3.1.3-27.el8_10.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64"
        },
        "product_reference": "rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le"
        },
        "product_reference": "rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debuginfo-0:3.1.3-27.el8_10.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x"
        },
        "product_reference": "rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debuginfo-0:3.1.3-27.el8_10.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64"
        },
        "product_reference": "rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debugsource-0:3.1.3-27.el8_10.aarch64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64"
        },
        "product_reference": "rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debugsource-0:3.1.3-27.el8_10.ppc64le as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le"
        },
        "product_reference": "rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debugsource-0:3.1.3-27.el8_10.s390x as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x"
        },
        "product_reference": "rsync-debugsource-0:3.1.3-27.el8_10.s390x",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rsync-debugsource-0:3.1.3-27.el8_10.x86_64 as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
        },
        "product_reference": "rsync-debugsource-0:3.1.3-27.el8_10.x86_64",
        "relates_to_product_reference": "BaseOS-8.10.0.Z.MAIN.EUS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-29518",
      "cwe": {
        "id": "CWE-367",
        "name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
      },
      "discovery_date": "2026-05-11T13:09:31.417000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469055"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in rsync. An rsync daemon configured with \"use chroot = no\" is exposed\nto a time-of-check / time-of-use race on parent path components. A local\nattacker with write access to a module can replace a parent directory\ncomponent with a symlink between the receiver\u0027s check and its open(),\nredirecting reads (basis-file disclosure) and writes (file overwrite)\noutside the module. Under elevated daemon privilege this allows privilege\nescalation. Default \"use chroot = yes\" is not exposed.\nReach: local attacker on the daemon host, write access to a module path,\ndaemon configured with use chroot = no.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot.",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw, a Time-of-Check Time-of-Use (TOCTOU) race condition, allows a local attacker with write access to an rsync module path to achieve privilege escalation. This vulnerability specifically impacts rsync daemons configured with `use chroot = no`. Red Hat\u0027s default rsync daemon configuration utilizes `use chroot = yes`, which is not susceptible to this issue.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-29518"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469055",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469055"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-29518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-29518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-29518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29518"
        }
      ],
      "release_date": "2026-05-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-16T17:37:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:26408"
        },
        {
          "category": "workaround",
          "details": "To prevent exploitation, ensure the rsync daemon is configured with `use chroot = yes`. This setting, which is the default, isolates the rsync process and prevents the symlink race condition. If `use chroot = no` is present in the rsync configuration (e.g., `/etc/rsyncd.conf`), it must be changed to `use chroot = yes`. A restart of the rsync service is required for any configuration changes to take effect.",
          "product_ids": [
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot."
    },
    {
      "cve": "CVE-2026-43618",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2026-05-11T13:09:39.838000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469054"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in rsync. An authenticated daemon peer can exploit an integer overflow vulnerability in the compressed-token decoder. By carefully manipulating the compressed-token, a malicious sender can trigger an overflow, leading to remote memory disclosure. This allows an attacker to leak sensitive process memory contents, including environment variables, passwords, and memory pointers, which significantly weakens Address Space Layout Randomization (ASLR) and can facilitate further exploitation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw in rsync\u0027s compressed-token decoding allows an authenticated remote attacker to trigger an integer overflow. This can lead to memory disclosure, potentially exposing sensitive information such as environment variables or heap pointers, thereby weakening Address Space Layout Randomization (ASLR) and aiding further exploitation. The vulnerability is present when rsync is configured as a daemon with compression enabled, which is the default for protocols version 30 and higher.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
          "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-43618"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469054",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469054"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-43618",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-43618"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-43618",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43618"
        }
      ],
      "release_date": "2026-05-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-16T17:37:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:26408"
        },
        {
          "category": "workaround",
          "details": "Disable compression on the rsync daemon by adding `refuse options = compress` to the `rsyncd.conf` file. A restart of the rsync daemon service is required for the change to take effect and may impact transfer performance.",
          "product_ids": [
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.src",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-daemon-0:3.1.3-27.el8_10.noarch",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debuginfo-0:3.1.3-27.el8_10.x86_64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.aarch64",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.ppc64le",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.s390x",
            "BaseOS-8.10.0.Z.MAIN.EUS:rsync-debugsource-0:3.1.3-27.el8_10.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding"
    }
  ]
}

CVE-2026-29518 (GCVE-0-2026-29518)

Vulnerability from cvelistv5 – Published: 2026-05-20 12:48 – Updated: 2026-05-26 14:40 X_Open Source

Title

Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write

Summary

Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.

Severity

7.3 (High)


                        
                          CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Assigner

VulnCheck

References

4 references

URL	Tags
https://github.com/RsyncProject/rsync/pull/895/ch…	issue-tracking
https://github.com/RsyncProject/rsync/releases/ta…	release-notes
https://michael.stapelberg.ch/posts/2026-05-24-mi…	technical-description
https://www.vulncheck.com/advisories/rsync-toctou…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
RsyncProject	rsync	Affected: 0 , < 3.4.3 (semver)

Date Public

2026-05-19 00:00

Credits

Nullx3D (Batuhan SANCAK) Michael Stapelberg Damien Neil

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29518",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T14:50:13.900176Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T14:50:31.650Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "rsync",
          "repo": "https://github.com/RsyncProject/rsync",
          "vendor": "RsyncProject",
          "versions": [
            {
              "lessThan": "3.4.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nullx3D (Batuhan SANCAK)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael Stapelberg"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Damien Neil"
        }
      ],
      "datePublic": "2026-05-19T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T14:40:30.873Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/RsyncProject/rsync/pull/895/changes/8471fdd1561049ef5f58df44a1811a50bd9a531d"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3"
        },
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://michael.stapelberg.ch/posts/2026-05-24-minimal-memory-safe-go-rsync-vulns/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/rsync-toctou-race-condition-allows-symlink-based-arbitrary-file-write"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Rsync \u003c 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-29518",
    "datePublished": "2026-05-20T12:48:07.656Z",
    "dateReserved": "2026-03-04T15:39:26.872Z",
    "dateUpdated": "2026-05-26T14:40:30.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43618 (GCVE-0-2026-43618)

Vulnerability from cvelistv5 – Published: 2026-05-20 00:50 – Updated: 2026-05-20 13:04

Title

Rsync < 3.4.3 Integer Overflow Information Disclosure

Summary

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation.

Severity

6.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-190 - Integer Overflow or Wraparound
CWE-125 - Out-of-bounds Read

Assigner

VulnCheck

References

3 references

URL	Tags
https://github.com/RsyncProject/rsync/security/ad…	vendor-advisory
https://github.com/RsyncProject/rsync/releases/ta…	release-notes
https://www.vulncheck.com/advisories/rsync-intege…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
RsyncProject	rsync	Affected: 0 , < 3.4.3 (semver)

Date Public

2026-05-19 00:00

Credits

Omar Elsayed (@seks99x)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43618",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:03:53.283160Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:04:03.282Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "rsync",
          "repo": "https://github.com/RsyncProject/rsync",
          "vendor": "RsyncProject",
          "versions": [
            {
              "lessThan": "3.4.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Omar Elsayed (@seks99x)"
        }
      ],
      "datePublic": "2026-05-19T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Rsync version\u00a03.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-125",
              "description": "Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T00:50:21.416Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-g37v-g3gj-pmwq"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/rsync-integer-overflow-information-disclosure"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Rsync \u003c 3.4.3 Integer Overflow Information Disclosure",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-43618",
    "datePublished": "2026-05-20T00:50:21.416Z",
    "dateReserved": "2026-05-01T18:22:45.639Z",
    "dateUpdated": "2026-05-20T13:04:03.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:26408

CVE-2026-29518 (GCVE-0-2026-29518)

CVE-2026-43618 (GCVE-0-2026-43618)

Tags

Sightings

Nomenclature