Fluid Attacks Database

Description

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	rsync	=3.2.7-1 \|\| =3.2.7-1+deb12u1 \|\| =3.2.7-1+deb12u2 \|\| =3.2.7-1+deb12u3 \|\| =3.2.7-1+deb12u4 \|\| >=0 <3.2.7-1+deb12u5	3.2.7-1+deb12u5
debian 14	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-6 \|\| =3.4.1+ds1-7 \|\| =3.4.1+ds1-8~exp1 \|\| =3.4.2+ds1-1 \|\| =3.4.2+ds1-2 \|\| >=0 <3.4.3+ds1-1	3.4.3+ds1-1
debian 13	rsync	=3.4.1+ds1-5 \|\| =3.4.1+ds1-5+deb13u1 \|\| =3.4.1+ds1-5+deb13u2 \|\| >=0 <3.4.1+ds1-5+deb13u3	3.4.1+ds1-5+deb13u3
debian 11	rsync	=3.2.3-4 \|\| =3.2.3-4+deb11u1 \|\| =3.2.3-4+deb11u2 \|\| =3.2.3-4+deb11u3 \|\| >=0 <3.2.3-4+deb11u4	3.2.3-4+deb11u4
alpine v3.20	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.21	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.22	rsync	>=0 <3.4.3-r0	3.4.3-r0
alpine v3.23	rsync	>=0 <3.4.3-r0	3.4.3-r0
rpm rhel8	rsync	-	-
rpm rhel10	rsync	-	-

1-10 of 13

Aliases

1. CVE-2026-436172. NVD-2026-436173. OSV-DEBIAN-2026-436174. OSV-2026-436175. OSV-ALPINE-2026-436176. SECURITY-TRACKER-CVE-2026-436177. SECURITY-CVE-2026-43617

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.