CVE-2026-43619

CVE-2026-43619 is a medium-severity vulnerability in Samba Rsync with a CVSS 3.x base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-59.

Key facts

Description

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

Frequently asked questions

What is CVE-2026-43619?
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
How severe is CVE-2026-43619?
CVE-2026-43619 has a CVSS 3.x base score of 6.3, rated medium severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2026-43619 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (3rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-43619?
CVE-2026-43619 affects Samba Rsync. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-43619?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-43619 have an EU (EUVD) identifier?
Yes. CVE-2026-43619 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31010.
When was CVE-2026-43619 published?
CVE-2026-43619 was published on 2026-05-20 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Samba Rsync

All CVEs affecting Samba Rsync →

Other CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities

Browse all CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities →