Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session option handling that may allow a remote attacker to cause a minor service disruption via crafted DSI session options.
AnalysisAI
Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_SERVQUANT processing, affecting versions 1.5.0 through 4.4.2. An unauthenticated remote attacker can send a crafted DSI session options packet to trigger unintended session option handling, resulting in minor service disruption. No public exploit identified at time of analysis, and the High attack complexity rating (AC:H) constrains real-world exploitation to adversaries capable of precise DSI packet construction.
Technical ContextAI
Netatalk is an open-source Apple Filing Protocol (AFP) server implementation for Linux and Unix systems, identified by CPE cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:*. AFP uses the Data Stream Interface (DSI) as its TCP-based transport layer (default port 548). During DSI OpenSession, the server negotiates session parameters via option codes including DSIOPT_ATTNQUANT (attention quantum, controlling asynchronous attention messages) and DSIOPT_SERVQUANT (server quantum, controlling buffer sizes). CWE-484 (Omitted Break Statement in Switch) identifies the root cause: the switch case handling DSIOPT_ATTNQUANT lacks a terminating break, causing execution to fall through into the DSIOPT_SERVQUANT code block. This means attacker-supplied DSIOPT_ATTNQUANT data is additionally processed as DSIOPT_SERVQUANT input, corrupting the intended session parameter negotiation state.
RemediationAI
Consult the official vendor advisory at https://netatalk.io/security/CVE-2026-44075 for the patched release. No specific fixed version number was confirmed from the available input data - the exact patched version must be verified directly against the vendor advisory before upgrading. As a compensating control, restrict access to the AFP/DSI service port (TCP 548) via firewall or host-based ACL to trusted network segments only, reducing the network-reachable attack surface; note this may impact legitimate AFP client connectivity from non-whitelisted hosts. If AFP services are not required, disabling Netatalk entirely eliminates exposure with no functional trade-off. The fix itself is expected to be a one-line code change (adding the missing break statement), making the patch low-risk to apply.
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th
Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi
A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis
Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (App
Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw
Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi
TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file o
Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to t
Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-seve
Information disclosure in Netatalk 3.0.0 through 4.4.2 stems from a dead bounds check (CWE-561) in the Spotlight RPC unm
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31246
GHSA-8qf9-m7wh-563j