Netatalk Security Advisory
| Subject | Use-after-free in DHX2 login continuation |
|---|---|
| CVE ID# | CVE-2026-62318 |
| Severity | High |
| Disclosure Date | 2026/07/16 |
| Affected Versions | 2.0.0-4.5.0 |
| Summary | Repeated DHX2 login continuation packets can trigger pre-authentication memory corruption |
Description
The DHX2 login state machine accepts a repeated continuation packet after releasing its Diffie-Hellman state. An unauthenticated remote attacker can trigger a use-after-free and double-free in a root-privileged afpd worker, potentially enabling a Denial of Service attack.
Patch Availability
Apply CVE-2026-62318.patch to a Netatalk 4.5.0 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.1 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (8.7)
Workaround
Use the SRP UAM instead of DHX2.
[Global]
uam list = uams_srp.so
Alternatively, restrict AFP port 548 to trusted networks until patched.
Credits
Vulnerability reported by:
Alejandro Ramos aramosf@gmail.com
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.