CVE-2026-43619
Publication date 20 May 2026
Last updated 2 June 2026
Ubuntu priority
Description
Rsync versionĀ 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rsync | 26.04 LTS resolute |
Fixed 3.4.1+ds1-7ubuntu0.2
|
| 25.10 questing |
Fixed 3.4.1+ds1-5ubuntu1.2
|
|
| 24.04 LTS noble |
Fixed 3.2.7-1ubuntu1.4
|
|
| 22.04 LTS jammy |
Fixed 3.2.7-0ubuntu0.22.04.6
|
|
| 20.04 LTS focal |
Fixed 3.1.3-8ubuntu0.9+esm1
|
|
| 18.04 LTS bionic |
Fixed 3.1.2-2.1ubuntu1.6+esm3
|
|
| 16.04 LTS xenial |
Fixed 3.1.1-3ubuntu1.3+esm5
|
|
| 14.04 LTS trusty |
Fixed 3.1.0-2ubuntu0.4+esm3
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version:
Base score
7.2 · High
Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Base score
6.3 · Medium
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8283-1
- rsync vulnerabilities
- 20 May 2026
- USN-8349-1
- rsync vulnerabilities
- 1 June 2026