netatalk.io

Netatalk Security Advisory

Subject Use-after-free in DHX2 login continuation
CVE ID# CVE-2026-62318
Severity High
Disclosure Date 2026/07/16
Affected Versions 2.0.0-4.5.0
Summary Repeated DHX2 login continuation packets can trigger pre-authentication memory corruption

Description

The DHX2 login state machine accepts a repeated continuation packet after releasing its Diffie-Hellman state. An unauthenticated remote attacker can trigger a use-after-free and double-free in a root-privileged afpd worker, potentially enabling a Denial of Service attack.

Patch Availability

Apply CVE-2026-62318.patch to a Netatalk 4.5.0 source tree to hotfix your local Netatalk deployment.

Alternatively, upgrade to Netatalk 4.5.1 or later, which includes the patch.

Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.

CVSS Calculation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (8.7)

Workaround

Use the SRP UAM instead of DHX2.

[Global]
uam list = uams_srp.so

Alternatively, restrict AFP port 548 to trusted networks until patched.

Credits

Vulnerability reported by:

Alejandro Ramos aramosf@gmail.com

Patch developed by:

Daniel Markstedt of the Netatalk team

References


Go back to the Security Policy.