What is GHSA-pwrq-5rj3-c43m?

GHSA-pwrq-5rj3-c43m is a security advisory published by GitHub Security Advisories with High severity. Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system...

Which CVE IDs does GHSA-pwrq-5rj3-c43m cover?

GHSA-pwrq-5rj3-c43m covers the following CVE IDs: CVE-2026-43619. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-pwrq-5rj3-c43m?

GHSA-pwrq-5rj3-c43m has a CVSS v3 base score of 6.3, published by GitHub Security Advisories.

GHSA-pwrq-5rj3-c43mHighCVSS 6.3

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system...

Vendor

GitHub Security Advisories

Published

May 20, 2026

Last Modified

May 20, 2026

🔗 CVE IDs covered (1)

CVE-2026-43619 →

📋 Description

Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'.

🔗 References (5)

https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735
https://nvd.nist.gov/vuln/detail/CVE-2026-43619
https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls
https://github.com/advisories/GHSA-pwrq-5rj3-c43m