{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-20T00:00:00Z",
  "bugzilla" : {
    "description" : "rsync: rsync: Hostname-based ACL bypass in daemon chroot configuration",
    "id" : "2469060",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2469060"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-289",
  "details" : [ "Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.", "A flaw was found in rsync. When an rsync daemon is configured with \"daemon chroot = /X\" and uses hostname-based access control lists (ACLs), and the chrooted directory /X lacks necessary DNS resolution files, a remote attacker can bypass hostname-based deny rules. This occurs because the daemon performs reverse-DNS lookups after chrooting, causing the lookup to fail and the connecting hostname to be identified as \"UNKNOWN\". An attacker can exploit this by controlling their pointer (PTR) record, enabling unauthorized connections from hostnames that should have been denied." ],
  "statement" : "This Moderate flaw in rsync allows an attacker to bypass hostname-based access controls on an rsync daemon configured with `daemon chroot = /X` when the chrooted environment lacks DNS resolution support. This bypass occurs because reverse-DNS lookups fail, causing the connecting hostname to be identified as \"UNKNOWN\". IP-based access controls are not affected.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Out of support scope",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "rsync",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43617\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43617" ],
  "name" : "CVE-2026-43617",
  "mitigation" : {
    "value" : "To mitigate this issue, ensure that the chrooted environment (`/X`) for any rsync daemon configured with `daemon chroot = /X` includes the necessary DNS resolution files (e.g., `/etc/resolv.conf`, `/etc/nsswitch.conf`, `/etc/hosts`, and NSS service modules). Alternatively, configure rsync daemon access controls using IP addresses instead of hostnames, as IP-based ACLs are not affected. A restart of the rsync service may be required for configuration changes to take effect.",
    "lang" : "en:us"
  },
  "csaw" : false
}