Vulnerability CVE-2026-24281: Information

Description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

Severity: HIGH (7.4)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-24281
Published: March 7, 2026
Modified: March 10, 2026
Error type identifier: CWE-295

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
kafkasisyphus4.2.0-alt24.2.0-alt4ALT-PU-2026-5782-1414376Fixed
kafkasisyphus_loongarch644.2.0-alt34.2.0-alt4ALT-PU-2026-5915-1-Fixed
kafkac10f24.2.0-alt33.9.1-alt2.c10.1ALT-PU-2026-5788-1414377Testing

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2
  • Mailing List
  • Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/03/07/4
  • Mailing List
  • Third Party Advisory
GHSA-7xrh-hqfc-g7qr
      1. cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
        Start including
        3.8.0
        End excluding
        3.8.6
        cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
        Start including
        3.9.0
        End excluding
        3.9.5
    VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
    Version: v26.2.2
    Back to top