Rsync CVE-2026-29518: TOCTOU Flaw Allows Privilege Escalation
Rsync versions prior to 3.4.3 are vulnerable to CVE-2026-29518, a high-severity time-of-check to time-of-use (TOCTOU) race condition. The National Vulnerability Database reports this flaw resides in how the rsync daemon handles files. An attacker with write access to a module path can exploit this race to redirect file writes, using symbolic links to replace parent directory components.
This vulnerability allows attackers to create or overwrite arbitrary files, which is critical. If the rsync daemon runs with elevated privileges and the chroot setting is disabled (which it often is in less secure configurations), this can lead directly to privilege escalation by modifying sensitive system files. The attacker’s calculus here is simple: gain a foothold, then leverage a common daemon misconfiguration to own the box.
The CVSS score of 7.0 (HIGH) reflects the potential for complete compromise of confidentiality, integrity, and availability once exploited. Defenders running rsync services need to understand that this isn’t a theoretical issue; it’s a direct path to system control if their configurations are not hardened.
What This Means For You
- If your organization uses rsync, especially in daemon mode with `chroot` set to `false`, you are exposed. Patch immediately to version 3.4.3 or later. Audit your rsync configurations for `chroot` settings and ensure that module paths have strict write access controls. This is a direct privilege escalation path; do not treat it as a low-priority fix.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-29518 Rsync TOCTOU Privilege Escalation Attempt
title: CVE-2026-29518 Rsync TOCTOU Privilege Escalation Attempt
id: scw-2026-05-20-ai-1
status: experimental
level: high
description: |
Detects the execution of the rsync daemon, which is a prerequisite for exploiting CVE-2026-29518. This rule specifically targets the rsync daemon process, as the vulnerability lies within its file handling mechanisms when the chroot setting is false. This is the primary indicator of potential exploitation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-29518/
tags:
- attack.privilege_escalation
- attack.t1200
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '/rsync'
CommandLine|contains:
- '--daemon'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-29518 | Privilege Escalation | Rsync versions before 3.4.3 |
| CVE-2026-29518 | Race Condition | TOCTOU race condition in daemon file handling |
| CVE-2026-29518 | Path Traversal | redirect file writes outside intended directories by replacing parent directory components with symbolic links |
| CVE-2026-29518 | Misconfiguration | chroot setting is false |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...