Netatalk Security Advisory
| Subject | Pre-authentication DSI frame smuggling |
|---|---|
| CVE ID# | CVE-2026-62320 |
| Severity | Medium |
| Disclosure Date | 2026/07/16 |
| Affected Versions | 1.5.0-4.5.0 |
| Summary | Oversized DSI frames leave attacker-controlled bytes queued for the next receive operation |
Description
The pre-authentication DSI listener truncates oversized frame payloads without rejecting or draining them. An unauthenticated remote attacker can leave residual bytes in the TCP stream to be parsed as additional DSI frames.
Patch Availability
Apply CVE-2026-62319,CVE-2026-62320.patch to a Netatalk 4.5.0 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.1 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N (6.9)
Workaround
Restrict access to AFP port 548 to trusted networks using firewall rules until patched.
Credits
Vulnerability reported by:
Alejandro Ramos aramosf@gmail.com
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.