CVE-2026-24281

NameCVE-2026-24281
DescriptionHostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1130496

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zookeeper (PTS)bullseye (security), bullseye3.4.13-6+deb11u1vulnerable
bookworm3.8.0-11+deb12u2vulnerable
bookworm (security)3.8.0-11+deb12u1vulnerable
trixie3.9.3-1+deb13u1vulnerable
forky, sid3.9.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zookeepersource(unstable)3.9.5-11130496

Notes

https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2
Search for package or bug name: Reporting problems