Medium severity4.8NVD Advisory· Published May 20, 2026· Updated May 21, 2026
CVE-2026-43617
CVE-2026-43617
Description
Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6- osv-coords3 versionspkg:rpm/opensuse/rsync&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rsync&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/rsync&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 3.4.3-1.1+ 2 more
- (no CPE)range: < 3.4.3-1.1
- (no CPE)range: < 3.4.1-160000.4.1
- (no CPE)range: < 3.4.1-160000.4.1
Patches
Vulnerability mechanics
References
3- github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4fnvdVendor Advisory
- www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolutionnvdThird Party Advisory
- github.com/RsyncProject/rsync/releases/tag/v3.4.3nvdRelease Notes
News mentions
0No linked articles in our index yet.