Netatalk Security Advisory
| Subject | ASP session ID out-of-bounds access |
|---|---|
| CVE ID# | CVE-2026-44064 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.3 - 4.4.2 |
| Summary | An attacker-controlled ASP session ID is used as an array index without validating it against the session table size |
Description
Legacy ASP/DDP session handling can use an attacker-controlled session identifier without adequate validation. When ASP/DDP support is built and enabled, an unauthenticated network attacker may be able to crash the service; reliable code execution is less certain.
Patch Availability
Apply CVE-2026-44064.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H (7.1)
Workaround
Restrict legacy AppleTalk access to trusted networks until patched, or disable ASP/DDP support if not needed.
appletalk = no
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
