PatchSiren cyber security CVE debrief
CVE-2026-43617 RsyncProject CVE debrief
CVE-2026-43617 is an authorization bypass in rsync daemon deployments that rely on hostname-based access controls while running in chroot. Published on 2026-05-20, the issue affects rsync 3.4.2 and prior. The bug can let a remote attacker influence reverse DNS results for their source IP and bypass hostname-based deny rules that were expected to block the connection. The vendor advisory and release notes indicate 3.4.3 as the fix.
- Vendor
- RsyncProject
- Product
- rsync
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Administrators running rsync daemon services, especially installations using chroot and hostname-based allow/deny rules. Security teams responsible for internet-exposed file transfer services should prioritize it because the weakness can defeat intended access controls without requiring authentication.
Technical summary
NVD and the referenced vendor materials describe a hostname-based authorization bypass in the rsync daemon’s access control list enforcement when chroot is enabled. The weakness is tied to reverse DNS handling: if an attacker can control the PTR record for their source IP address, they may be able to cause rsync to resolve a hostname that avoids a deny rule, even in situations where failed reverse lookup would otherwise default to UNKNOWN. The NVD entry classifies the issue as affecting rsync versions through 3.4.2 and maps it to CWE-289.
Defensive priority
Medium. This is a network-reachable authorization bypass affecting a common daemon service, but the available source set does not indicate active exploitation or KEV inclusion.
Recommended defensive actions
- Upgrade rsync to version 3.4.3 or later as referenced in the vendor release notes and advisory.
- Review rsync daemon configurations that use chroot together with hostname-based allow/deny lists.
- Prefer access controls that do not depend solely on reverse DNS for authorization decisions.
- Audit exposed rsync services for unexpected trust in PTR-derived hostnames and verify denied sources remain blocked after upgrade.
- Confirm affected hosts against the NVD version range showing vulnerability through 3.4.2.
Evidence notes
Source corpus includes the NVD CVE record, which marks the vulnerability as analyzed and lists vulnerable rsync versions through 3.4.2, plus references to the rsync 3.4.3 release notes and vendor advisory. The description and NVD weakness mapping support an authorization-bypass interpretation (CWE-289). No KEV record or ransomware linkage is present in the supplied data.
Official resources
-
CVE-2026-43617 CVE record
CVE.org
-
CVE-2026-43617 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed in the CVE record on 2026-05-20 and last modified on 2026-05-21. No KEV inclusion is indicated in the supplied data.