Bug 2469055 (CVE-2026-29518)

Summary: CVE-2026-29518 rsync: TOCTOU symlink race condition allowing local privilege escalation in daemon mode without chroot.
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in rsync. An rsync daemon configured with "use chroot = no" is exposed to a time-of-check / time-of-use race on parent path components. A local attacker with write access to a module can replace a parent directory component with a symlink between the receiver's check and its open(), redirecting reads (basis-file disclosure) and writes (file overwrite) outside the module. Under elevated daemon privilege this allows privilege escalation. Default "use chroot = yes" is not exposed. Reach: local attacker on the daemon host, write access to a module path, daemon configured with use chroot = no.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-05-20   

Description OSIDB Bzimport 2026-05-11 13:53:35 UTC 
A flaw was found in rsync. An rsync daemon configured with "use chroot = no" is exposed
to a time-of-check / time-of-use race on parent path components. A local
attacker with write access to a module can replace a parent directory
component with a symlink between the receiver's check and its open(),
redirecting reads (basis-file disclosure) and writes (file overwrite)
outside the module. Under elevated daemon privilege this allows privilege
escalation. Default "use chroot = yes" is not exposed.
Comment 2 errata-xmlrpc 2026-06-16 14:15:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:26332 https://access.redhat.com/errata/RHSA-2026:26332
Comment 3 errata-xmlrpc 2026-06-16 16:59:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:26410 https://access.redhat.com/errata/RHSA-2026:26410
Comment 4 errata-xmlrpc 2026-06-16 17:21:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:26408 https://access.redhat.com/errata/RHSA-2026:26408