Netatalk Security Advisory
| Subject | Pre-authentication DSI protocol desync |
|---|---|
| CVE ID# | CVE-2026-45354 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.5.0 - 4.4.2 |
| Summary | DSI packet receiver misreads header field for non-WRITE commands, enabling pre-auth protocol desync and denial of service |
Description
DSI packet parsing can desynchronize protocol state before authentication when certain header fields are inconsistent with the command type. An unauthenticated network client may be able to disrupt AFP sessions, consume worker resources, or corrupt protocol state. This advisory intentionally omits packet-level trigger details.
Patch Availability
Apply CVE-2026-45354.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)
Workaround
No known workaround. Restrict Netatalk to trusted networks until patched.
Credits
Vulnerability reported by:
Tristan (@TristanInSec)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
