Skip to main content

Netatalk CVE-2026-44061

| EUVDEUVD-2026-31236 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-05-21 securin GHSA-9jg7-fcmv-j845
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:09 vuln.today

DescriptionCVE.org

In Netatalk 1.5.0 through 4.4.2, des-ecb auth with timing side channel. Fixed in 4.5.0.

AnalysisAI

Timing side-channel exposure in Netatalk's DES-ECB authentication allows a remote unauthenticated attacker to conduct a cryptographic timing oracle attack against the AFP server, potentially recovering authentication secrets or credentials through statistical analysis of server response latency. Affected versions span 1.5.0 through 4.4.2 - a broad range covering multiple major releases - and the issue is rooted in non-constant-time operations during DES-ECB auth processing (CWE-208). No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; Netatalk 4.5.0 resolves the issue per the vendor advisory.

Technical ContextAI

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), enabling Linux and Unix systems to serve files to macOS clients over a network. The vulnerability resides in the DES-ECB (Data Encryption Standard in Electronic Codebook mode) authentication pathway. CWE-208 (Observable Timing Discrepancy) describes side-channel weaknesses where differences in processing time during cryptographic operations leak information about secret values to an observer. DES-ECB is itself a structurally weak cipher mode - ECB is deterministic and lacks semantic security - making its use in an authentication context compoundingly risky. The timing discrepancy most likely arises from non-constant-time comparison or decryption logic during the auth handshake, permitting an attacker to build a statistical timing oracle by issuing many probes and measuring latency variations. CPE cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* confirms this affects the Netatalk application directly, not an OS or library dependency.

RemediationAI

Upgrade to Netatalk 4.5.0 or later, which resolves the DES-ECB timing side channel per the vendor advisory at https://netatalk.io/security/CVE-2026-44061. This is a vendor-released patch at an exact confirmed version. If immediate upgrade is operationally infeasible, consider disabling the DES-ECB authentication method in afpd.conf and enforcing use of stronger authentication mechanisms such as DHX2, which Netatalk also supports - note this may break compatibility with very old macOS clients that rely exclusively on legacy DES-ECB auth, so test against client population before enforcing. Additionally, restricting AFP service access at the firewall or network perimeter to only trusted hosts limits the attacker's ability to collect the high-volume timing measurements required for a successful oracle attack; this is a meaningful compensating control given the AC:H requirement.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

CVE-2026-44061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy