netatalk.io

Netatalk Security Advisory

Subject DSIWrite frame desynchronization
CVE ID# CVE-2026-62319
Severity Medium
Disclosure Date 2026/07/16
Affected Versions 1.5.0-4.5.0
Summary DSIWrite accepts a data offset larger than the declared frame payload

Description

DSIWrite handling does not validate that the data offset is within the declared payload length. An authenticated client can consume bytes from the following frame, desynchronize the DSI stream, and control the next parsed frame.

Patch Availability

Apply CVE-2026-62319,CVE-2026-62320.patch to a Netatalk 4.5.0 source tree to hotfix your local Netatalk deployment.

Alternatively, upgrade to Netatalk 4.5.1 or later, which includes the patch.

Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.

CVSS Calculation

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (5.3)

Workaround

No practical workaround is available beyond applying the patch; restrict AFP access to trusted users until patched.

Credits

Vulnerability reported by:

Alejandro Ramos aramosf@gmail.com

Patch developed by:

Daniel Markstedt of the Netatalk team

References


Go back to the Security Policy.