CVE-2026-43617

NameCVE-2026-43617
DescriptionRsync versionĀ 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4591-1, DSA-6282-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rsync (PTS)bullseye3.2.3-4+deb11u1vulnerable
bullseye (security)3.2.3-4+deb11u4fixed
bookworm3.2.7-1+deb12u4vulnerable
bookworm (security)3.2.7-1+deb12u5fixed
trixie3.4.1+ds1-5+deb13u2vulnerable
trixie (security)3.4.1+ds1-5+deb13u3fixed
forky3.4.2+ds1-2vulnerable
sid3.4.3+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rsyncsourcebullseye3.2.3-4+deb11u4DLA-4591-1
rsyncsourcebookworm3.2.7-1+deb12u5DSA-6282-1
rsyncsourcetrixie3.4.1+ds1-5+deb13u3DSA-6282-1
rsyncsource(unstable)3.4.3+ds1-1

Notes

https://download.samba.org/pub/rsync/NEWS#3.4.3
https://www.openwall.com/lists/oss-security/2026/05/20/6
Search for package or bug name: Reporting problems