Skip to main content

Rsync EUVDEUVD-2026-31013

| CVE-2026-43617 MEDIUM
Authentication Bypass by Alternate Name (CWE-289)
2026-05-20 VulnCheck GHSA-4j4q-473w-9q2r
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat
4.2 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 20, 2026 - 02:22 NVD
4.8 (MEDIUM) 6.3 (MEDIUM)
Patch available
May 20, 2026 - 02:01 EUVD
Source Code Evidence Fetched
May 20, 2026 - 01:45 vuln.today
Analysis Generated
May 20, 2026 - 01:45 vuln.today

DescriptionCVE.org

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.

AnalysisAI

Hostname-based ACL bypass in the rsync daemon (rsync ≤ 3.4.2) allows unauthenticated remote attackers to circumvent administrator-configured deny rules when the daemon runs with chroot enabled. By manipulating the PTR record for their source IP or engineering a reverse DNS resolution failure, an attacker causes the daemon to fall back to the default hostname 'UNKNOWN', which does not match any configured deny entry and therefore permits the connection. Confidentiality and integrity are both partially at risk; no public exploit has been identified at time of analysis, and a vendor-released patch (v3.4.3) is available.

Technical ContextAI

Rsync's daemon mode (rsyncd) supports hostname-based access control in its rsyncd.conf via 'hosts allow' and 'hosts deny' directives. When chroot is enabled, the daemon performs reverse DNS (PTR) lookups on the connecting client's IP to resolve a hostname for ACL matching. CWE-289 (Authentication Bypass by Alternate Name) describes the root cause: the system trusts an attacker-controllable alternate identifier - here the PTR record - rather than the canonical IP address for access decisions. When PTR resolution fails or is not found, the code defaults the resolved hostname to the literal string 'UNKNOWN', and if no ACL entry explicitly denies 'UNKNOWN', the deny rule is effectively skipped. Affected CPE: cpe:2.3:a:rsyncproject:rsync:*:*:*:*:*:*:*:* covering all versions through 3.4.2. The chroot configuration is the deployment prerequisite that activates this code path.

RemediationAI

Upgrade to rsync version 3.4.3, which includes the combined security fixes per the official release at https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 (confirmed by pull request #895: 'combined security fixes for 3.4.3 release'). If immediate upgrade is not possible, the most targeted compensating control is to replace or supplement hostname-based deny rules with IP address-based restrictions in rsyncd.conf, since IP-based ACLs are not subject to PTR resolution and cannot be bypassed via DNS manipulation. A second option is to explicitly add 'UNKNOWN' to the hosts deny list in rsyncd.conf (e.g., 'hosts deny = UNKNOWN badhost.example.com'), which closes the fallback bypass without requiring a code change - note this may inadvertently block clients with broken reverse DNS that are legitimately permitted. Restricting rsync daemon exposure to internal or trusted networks via firewall rules reduces the attacker's ability to even initiate a connection, mitigating AC:H further. Disabling hostname-based ACLs entirely and relying solely on IP-based or credential-based access controls eliminates the vulnerable code path at the cost of losing hostname-based policy flexibility.

More in Rsync

View all
CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

CVE-2024-12084 CRITICAL POC
9.8 Jan 15

A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2014-9512 MEDIUM POC
6.4 Feb 12

rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization pa

CVE-2024-12087 HIGH POC
7.5 Jan 14

Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i

CVE-2022-29154 HIGH POC
7.4 Aug 02

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the d

CVE-2014-2855 HIGH
7.8 Apr 23

The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of serv

CVE-2024-12086 MEDIUM POC
6.8 Jan 14

A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authenticati

CVE-2017-16548 CRITICAL
9.8 Nov 06

The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character

CVE-2017-17434 CRITICAL
9.8 Dec 06

The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_

CVE-2017-15994 CRITICAL
9.8 Oct 29

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to by

CVE-2024-12088 HIGH
7.5 Jan 14

Arbitrary file write outside the intended destination in rsync's client-side `--safe-links` handling allows a malicious

CVE-2026-41035 HIGH
7.8 Apr 16

Receiver-side use-after-free in rsync 3.0.1 through 3.4.1 lets a malicious peer corrupt memory on a host running rsync w

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Image SLE-Micro-BYOS-EC2 Affected
Image SLES15-SP6 Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-BYOS-GCE Image SLES15-SP6-GCE Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-BYOS-GCE Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-HPC-GCE Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-Hardened-BYOS-GCE Image SLES15-SP6-SAP Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-GCE Image SLES15-SP6-SAPCAL Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP6-SAPCAL-GCE Image SLES15-SP7-HPC-BYOS-Azure Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed

Share

EUVD-2026-31013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy