Vulnerability Description
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Zookeeper | >= 3.8.0, < 3.8.6 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/03/07/4Mailing ListThird Party Advisory
FAQ
What is CVE-2026-24281?
CVE-2026-24281 is a vulnerability with a CVSS score of 7.4 (HIGH). Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper serv...
How severe is CVE-2026-24281?
CVE-2026-24281 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24281?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Zookeeper.