Rsync's TOCTOU Pile-Up (CVE-2026-29518, CVE-2026-43618): The Backup Pipeline Bug Class Nobody Audits

1. Why backup pipelines never make the audit

Walk into most security programmes and ask which production paths get the most rigorous code review. The answer will name the customer-facing application, the authentication system, the payment processor, the privileged-access tooling. The backup pipeline will not be in the top ten. Sometimes it will not be in the top fifty.

This is structural. The backup pipeline does not appear in the customer-facing risk register. It does not generate revenue. It runs at three in the morning under a service account whose credentials are buried in a Jenkins job nobody has touched since the original team rotated out. The pipeline frequently runs as root or as a privileged service account so it can read every file on the source side and write every file on the destination side. It connects to every host the customer owns. If you compromise the backup pipeline, you have read access to the entire fleet and write access to the historical state of every host on the network.

Rsync is the backbone of an enormous fraction of these pipelines. It is also the binary inside a startling number of NAS appliances, CI/CD deploy scripts, container-image-extraction tooling, and "let's mirror the prod data into staging" scripts. Two CVEs disclosed in the last 48 hours land squarely on rsync 3.4.x: CVE-2026-29518 (a TOCTOU race) and CVE-2026-43618 (an integer overflow in the same file-handling code). The combined exposure footprint is large enough that we shipped the Test Capsule overnight.

2. CVE-2026-29518, the TOCTOU

The bug is the classic time-of-check / time-of-use race (CWE-367). The vulnerable path in rsync 3.4.2-and-prior checks file metadata at one point in the flow and uses the file at a later point, without holding a lock or re-validating the metadata at use time. An attacker who can win the race window can swap the underlying file between the check and the use, causing rsync to operate on a file other than the one it validated.

The published advisory describes the race in terms of symlink replacement. The attack shape is: rsync is about to copy a file from a directory the attacker controls; rsync stats the file, decides it is a regular file, opens the file, reads its contents, and writes them to the destination. Between the stat and the open, the attacker swaps the regular file for a symlink pointing to a sensitive destination (a credentials file, a key store, an /etc/shadow). Rsync follows the symlink, reads the sensitive file, and writes its contents to the destination, which is frequently a publicly-readable backup share.

The exploit window is narrow but reachable. A typical backup run touches thousands of files; only one of them needs to win the race. The attacker side is mechanical, a tight loop that swaps the target inode between regular file and symlink in a small per-iteration time window.

The fix in 3.4.3 holds the file descriptor open across the validation and use, so the rsync process operates on the originally-validated inode regardless of what filename changes happen during the operation.

3. CVE-2026-43618, the integer overflow

The second CVE lands in the same code area. The vulnerable path computes a buffer size from inputs that include file-length and chunk-count values derived from the file being transferred. The arithmetic does not check for overflow; on a 32-bit size_t field receiving a large-enough product, the buffer-size value wraps to a small positive number. Rsync then allocates a too-small buffer and writes the full-size file data into it.

The result is a textbook heap overflow (CWE-787). The exploitation primitive is an oversized file (sized to trigger the overflow on the target's size_t width) handed to rsync through any path the attacker can reach. On 64-bit systems with size_t == uint64_t, the overflow requires absurd file sizes; on 32-bit systems and on the surprising number of 64-bit systems where the buffer-size computation happens through a deliberately-narrowed intermediate, the overflow is achievable with file sizes in the tens of gigabytes, within the practical range for a backup pipeline.

The fix in 3.4.3 adds bounded arithmetic on the buffer-size computation and rejects file sizes that would produce an overflow.

4. The projection

Our Version Vulnerability Projector ran against the customer install base overnight. The projection identified the following affected component classes:

• Direct rsync invocations on 3.4.2-or-prior across cron jobs, systemd timers, and ad-hoc scripts.
• Container images built from debian:bookworm, ubuntu:24.04, and several Red Hat UBI variants that ship rsync 3.4.2 as the default-installed version.
• NAS appliance firmware from three named vendors that bundle a vendored rsync 3.4.x.
• CI/CD platforms whose worker images include rsync as a default tool (this is many of them).
• Backup-product binaries from two enterprise backup vendors that statically link against an embedded rsync core.

The projection produced approximately 14,000 individual asset-class hits across the active customer base. The fast-tracked subset, assets where the affected rsync runs with elevated privileges and reads attacker-influenced files, was about 1,800. The Test Capsule dispatch went out before the customer dashboards refreshed for the morning.

5. The test capsule

The capsule has two probes.

Probe 1, version fingerprint. The simplest possible check: invoke rsync --version against the local binary, against every container image in the customer's registry, and against any NAS appliance whose vendor exposes a fingerprintable endpoint. The decision rule is version_string matches '^rsync version 3\\.4\\.[0-2]'. PASS / FAIL is deterministic.

Probe 2: TOCTOU window measurement. For assets that fail probe 1 AND run rsync in an attacker-influenceable context, the second probe measures the actual race window. The probe creates a benign directory containing a regular file, runs an rsync against the directory, and uses an instrumented helper to time the gap between rsync's stat() and open() syscalls. A race window above the platform-specific threshold (we use 1 ms as the default; some platforms reliably allow 10 ms or more) is reported as exploitable; the capsule does not attempt to weaponise the race, but it does prove the race is winnable.

The benign-demonstration variant on probe 2 does not swap the file. It only measures the gap. This satisfies the customer's blast-radius rules, we are demonstrating exploitability without performing the exploit. A customer who wants the full exploitation demonstration can request it through their account team and we will run it against a benign-payload variant in their staging environment.

The capsule signature was minted at 04:11 UTC; the customer-facing dashboards picked up the new finding on the regular refresh interval around 06:00 local time.

6. The remediation

The fix is unambiguous: upgrade to rsync 3.4.3 or newer everywhere the version probe fails. The hard part is the inventory.

We recommend the following sequence to customers:

1. Pin the version on directly-invoked rsync. Wherever a script, cron job, or systemd timer invokes rsync, audit which binary is being invoked and bump the underlying package. On most Linux distributions, the package security tracker will have an updated package within 24-72 hours; until then, the upstream tarball is available and builds reproducibly.
2. Rebuild container images. Any image whose base layer includes the affected rsync needs to be rebuilt against an updated base. The rebuild is mechanical for images using apt or dnf; the harder cases are vendored-binary images that need a custom rebuild of the rsync layer.
3. Push vendors for NAS firmware. The three vendors with affected firmware have not all shipped updates as of writing. The interim mitigation is to isolate the NAS-management interface to a private network and to disable any path that allows untrusted users to trigger rsync operations.
4. Audit backup-product vendors. If your backup product statically links rsync, the vendor owes you a binary update. The product's vendor advisory should have shipped within 24 hours of the rsync disclosure; if it has not, escalate.

7. The structural lesson

The two rsync CVEs are textbook examples of a class we keep seeing: critical infrastructure tooling that nobody routinely audits, embedded in countless pipelines, runs with elevated privileges, and inherits every vulnerability that lands against the upstream. The defensive response is not just to patch this rsync, it is to add rsync (and tar, and curl, and gnupg, and the rest of the GNU coreutils) to the asset inventory and to the version-projection feed. These binaries are not invisible because they are not security tools. They are part of the attack surface because they handle untrusted input and produce trusted output, and the trust is exactly what an attacker wants to subvert.

If your backup pipeline does not have a Test Capsule running against it on the same cadence as your web application, the pipeline is operating below the application's security posture. The attacker reads both, and chooses the cheaper.

Verifiable security.