Netatalk Security Advisory
| Subject | Integer underflow in dsi_writeinit() leads to denial of service |
|---|---|
| CVE ID# | CVE-2026-44060 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.5.0 - 4.4.2 |
| Summary | Missing bounds check in DSI write handling allows an unauthenticated attacker to cause a denial of service |
Description
DSI write handling can miscalculate an incoming payload size and force an afpd child to spend substantial time receiving data. This can be abused for denial of service, including before authentication in affected protocol states. The issue is not considered memory corruption or remote code execution.
Patch Availability
Apply CVE-2026-44060.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)
Workaround
Restrict access to AFP port 548 to trusted networks using firewall rules. This limits pre-authentication exposure until the patch can be applied.
Credits
Vulnerability reported by:
@00redbeer
Independently discovered and reported by:
Tristan (@TristanInSec)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
