CVE-2026-43617

Description

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.

How to fix CVE-2026-43617

To remediate CVE-2026-43617, upgrade the affected package to a fixed version below.

—upgrade to 3.4.3-r0 or later
—upgrade to 3.2.3-4+deb11u4 or later

Is CVE-2026-43617 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.4.3-r0
from 0, < 3.2.3-4+deb11u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-43617
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-43617