Skip to main content

Netatalk CVE-2026-44053

| EUVDEUVD-2026-31232 HIGH
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-05-21 securin GHSA-8vhp-c4pr-9rq3
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:02 vuln.today

DescriptionCVE.org

In Netatalk 1.5.0 through 4.2.2, weak cryptography in dhcast128 uam. Fixed in 4.5.0.

AnalysisAI

Weak cryptography in the dhcast128 user authentication module (UAM) of Netatalk versions 1.5.0 through 4.2.2 allows remote attackers to compromise confidentiality and integrity of AFP authentication exchanges. The flaw was reported by Securin and tagged as an information disclosure issue; no public exploit identified at time of analysis. The CVSS 7.4 score with High attack complexity reflects that exploitation requires conditions beyond a simple network request, yet the impact on credential material and session integrity is significant.

Technical ContextAI

Netatalk is the open-source implementation of the Apple Filing Protocol (AFP) suite, providing file and print services to macOS clients from Unix/Linux servers (CPE: cpe:2.3:a:netatalk:netatalk:*). The dhcast128 UAM is one of AFP's pluggable authentication modules that combines a Diffie-Hellman key agreement with CAST-128 (CAST5) symmetric encryption to protect the password exchange between client and server. The root cause is CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), meaning the cryptographic primitives, parameters, or construction used in this UAM no longer provide adequate strength against modern cryptanalysis - CAST-128's 128-bit block with 64-bit blocks and the DH parameters chosen in legacy AFP design are widely considered insufficient.

RemediationAI

Vendor-released patch: Netatalk 4.5.0; upgrade affected installations from any version in the 1.5.0 through 4.2.2 range to 4.5.0 or later as published at https://netatalk.io/security/CVE-2026-44053. If immediate upgrade is not possible, disable the dhcast128 UAM in afp.conf (for example by setting 'uam list' to exclude uams_dhx.so / uams_dhx2.so or whichever module ships dhcast128 on the distribution) and require a stronger UAM such as DHX2 or Kerberos/GSSAPI, accepting that very old macOS clients that only negotiate dhcast128 will lose the ability to authenticate. As a network-level compensating control, restrict TCP/548 to trusted client subnets or tunnel AFP over a VPN to remove untrusted MitM positions, with the trade-off of reduced client reachability.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

CVE-2026-44053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy