CVE-2026-29518 rsync Fix: Symlink Race in Daemon Mode (Windows Admin Checklist)

A high-severity vulnerability in rsync, tracked as CVE-2026-29518, exposes daemons running without chroot protection to a symlink race condition. Disclosed on May 20, 2026, the flaw affects all rsync versions before 3.4.3 and carries a CVSS score of 8.1. Attackers can exploit the race to make the rsync daemon follow arbitrary symlinks on the server, writing files outside of the intended module directory. For Windows administrators who might run rsync servers—whether natively on Windows Server, inside WSL, or via Cygwin—the implications are immediate and severe.

What triggers the race?

The vulnerability resides in rsync's daemon mode when the use chroot parameter is set to no (the default is yes, but many setups disable it for convenience or performance). In such configurations, the daemon processes incoming file requests without confining operations to the module path via chroot. When an attacker rapidly sends successive requests involving a symlink, they can alter the link's target between the daemon's check and the actual file operation. This TOCTOU (time-of-check to time-of-use) race allows malicious file creation outside the intended directory tree.

Unlike a simple path traversal, the race does not bypass symlink restrictions outright. The rsync daemon still refuses to follow symlinks that point outside the module if it can validate the target. But the race window lets an attacker swap a valid symlink with one pointing to a sensitive system file—like /etc/shadow on Unix or a critical Windows registry hive file if rsync is running on a Windows host—between the validation and the write operation. The result: file override or arbitrary content injection.

How an attacker wins the race

Successful exploitation requires precise timing. The attacker must send two concurrent rsync protocol operations: one to trigger the symlink check and another to replace the symlink with a malicious target before the daemon acts. Modern network conditions and multi-threaded daemon handling make the window wide enough to hit reliably in under a minute on local network or same-host attacks. Remote internet-facing attacks are feasible if latency is low and the attacker can issue many rapid-fire requests.

Proof-of-concept exploits circulating in security forums demonstrate the technique against a default rsyncd configuration with use chroot = no. The attacker first creates a benign symlink pointing to a harmless file within the module. They then repeatedly attempt to sync a file through that symlink while in another connection they overwrite the symlink with one pointing to /etc/cron.d (on Linux) or C:\Windows\System32\drivers\etc\hosts (on Windows). With enough attempts, the daemon writes the attacker’s file to the trojaned location.

Systems at risk

Any rsync daemon version < 3.4.3 that disables chroot is vulnerable. This includes:
- Custom backup servers using rsync for daily transfers
- Linux-based NAS devices exposing rsync shares
- Continuous integration runners that sync artifacts
- Windows hosts running rsync via Windows Subsystem for Linux (WSL), Cygwin, or native ports like cwRsync

While the vulnerability originates from Unix-centric code paths, Windows deployments are not immune. Rsync on WSL can access the Windows filesystem via /mnt/c/, making symlink attacks possible against critical system files. Even native Windows rsync ports implement the same daemon logic and are equally exploitable. Admins who tunnel rsync over SSH (using rsync -e ssh) are not directly affected because the daemon isn't involved—but many automated Windows backup scripts run an rsync daemon listener for speed.

The fix: Update to rsync 3.4.3

The rsync maintainers released version 3.4.3 on May 20, 2026, coinciding with the CVE publication. The patch introduces stricter symlink validation in daemon mode. Instead of trusting a symlink’s target at check time, the daemon now resolves the final path atomically with the write operation using O_NOFOLLOW-style flags where supported, and falls back to a more aggressive re-check loop on platforms without that support. The race window becomes so narrow that practical exploitation is virtually impossible.

Windows admins should note that the official rsync distribution does not provide native Windows binaries. However, the cygwin and mingw ports track the upstream source closely. The maintainers of cwRsync, for example, typically release a new build within days of an upstream security fix. Check your distribution’s repository or the cwRsync website for an updated package. For WSL users, updating via the distribution’s package manager (e.g., sudo apt update && sudo apt install rsync on Ubuntu WSL) will fetch the patched version once the distro maintainers incorporate it—usually within a week.

Windows admin checklist

Assess your exposure and mitigate CVE-2026-29518 with these steps:

1. Inventory all rsync instances

• Search for rsync binaries (rsync.exe, rsync.exe inside Cygwin, or the rsync command within WSL instances)
• Check scheduled tasks, backup scripts, and CI/CD pipelines that invoke rsync
• Don’t forget Windows Server boxes that might host file replication as a service, not a user application

2. Determine the version

• On WSL or Cygwin: rsync --version
• For cwRsync, check the --version output or the file properties of rsync.exe
• Note the exact string; 3.4.3 is safe. Anything lower—3.4.2, 3.2.7, etc.—is vulnerable.

3. Check daemon configurations

• Look for rsyncd.conf files (often in /etc/rsyncd.conf, C:\cygwin\etc\rsyncd.conf, or a path specified in a service wrapper)
• Identify modules where use chroot is explicitly set to no. Example vulnerable snippet:

[backup]
    path = /cygdrive/d/backups
    use chroot = no
    read only = false

• Also check if use chroot is omitted; the default is yes, but many admins override it in a global section.

4. Immediate mitigation without updating

If you cannot patch immediately:
- Enable chroot: Set use chroot = yes in all modules. This confines the daemon to the module path and prevents symlink escape. On Windows, rsync emulates chroot using directory re-pointing; it is not a kernel-enforced chroot but still blocks the race.
- Set munge symlinks = yes: This option tells rsync to store symlink targets in a regular file, rendering client-side symlink manipulation useless. However, this changes the behavior of synced symlinks—clients will receive regular files containing the link path.
- Restrict write access: If your module is read only = true, the attack fails because the daemon won’t create files. Verify that backup modules that only push data from clients are truly read-only on the server.
- Run rsync over SSH: Instead of using the rsync daemon, switch to SSH transport. Replace rsync://host/module commands with rsync -e ssh user@host:/path.

5. Apply the update methodically

• Test the new rsync binary in a staging environment first. Rsync 3.4.3 maintains full protocol compatibility, but custom wrapper scripts may break if they parse version strings.
• Update on all servers simultaneously to avoid compatibility hiccups. Rsync’s protocol negotiation works across versions, but security preferences (like forced chroot) could cause connections to fail if one end dislikes the other’s settings.
• Restart all rsync daemon processes after updating. On Windows services, this means stopping the cwRsync service, replacing the executable, and restarting.

6. Harden post-update

• Even after patching, enforce use chroot = yes as a defense-in-depth measure. The patch narrows the race window but does not eliminate TOCTOU entirely for non-default configurations.
• Implement filesystem monitoring on sensitive directories (e.g., C:\Windows\System32, C:\Windows\System32\drivers\etc). Use Windows Defender for Endpoint or Sysmon to alert on unexpected file creations or symlink modifications.
• Audit your rsync logs. The daemon can be configured to log symlink-following attempts. Increase log verbosity temporarily to spot any exploitation attempts during the patch window.

Real-world impact and exploitation timeline

While no in-the-wild attacks have been publicly reported at the time of disclosure, the simplicity of the exploit and the clear advisory details make it a prime candidate for quick weaponization. The vulnerability class—symlink races—has a long history in rsync (CVE-2022-29154, CVE-2007-6199) and in other file-sync tools. Automated scanning for open rsync ports (873) is trivial; Shodan search results already show thousands of rsync daemons with use chroot disabled.

Windows shops often underestimate their Unix tooling exposure. A single WSL instance with an rsync daemon listening on port 873 and binding to the Windows network interface is as dangerous as any Linux box. Because Windows doesn't have a native chroot system call, the rsync emulation might even be weaker, potentially making exploitation easier. Admins should treat this with the same urgency as any RCE vulnerability.

The broader lesson for Windows admins

CVE-2026-29518 underscores the risks of running cross-platform daemons with relaxed security settings. Rsync’s default chroot mode is safe; disabling it for performance—common on Windows NAS devices where chroot mimicry adds overhead—opens a significant attack surface. Security configuration matters more than platform. Windows admins managing rsync servers should adopt a “secure by default” stance: chroot enabled, strict module access controls, and network-level restrictions via Windows Firewall.

Moreover, this CVE highlights the importance of tracking security advisories for all software in your stack, even if it originates from another ecosystem. Rsync may be 28 years old, but as a core tool in backup pipelines, it remains a high-value target. Subscribe to the rsync-announce mailing list or follow your distribution’s security channels.

What’s next?

The rsync project has committed to additional symlink hardening in version 3.5, including an opt-in strict mode that forbids any symlink following in daemon mode unless explicitly allowed. Developers are also exploring sandboxing techniques for Windows builds to emulate chroot more robustly via Job Objects or AppContainers. For now, the immediate action is clear: update to 3.4.3 and enable chroot.

For Windows environments, the takeaway is twofold. First, inventory lurking Unix-style daemons—you might find rsync, nginx, or sshd running in odd corners of your infrastructure. Second, treat every network-exposed service, no matter how mundane, as a potential entry point. A symlink race in a file sync tool might be the stepping stone an attacker needs to drop a malicious driver in C:\Windows\System32\drivers.

Patch today. Check your chroots. And if you’re not sure whether you even have rsync running, now is the time to find out.