CVE Catalog

CVE-2026-43617

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile - higher than 20% of all known CVEs

Summary

A vulnerability in rsync 3.4.2 and prior allows bypassing hostname-based access control in the rsync daemon when chroot is configured. Attackers can control the PTR record of their source IP to connect from a hostname that administrators intended to deny when reverse DNS fails and defaults to UNKNOWN.

Risk Assessment

The organization may allow access from unauthorized hosts, leading to unauthorized file read or write via rsync, potentially compromising data confidentiality and integrity.

Recommendation

Immediately upgrade rsync to version 3.4.3 or later, which includes the fix. Until then, consider using firewall rules or alternative authentication methods.

Original NVD description (English source)

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS