Netatalk Security Advisory
| Subject | Missing range validation for server quantum |
|---|---|
| CVE ID# | CVE-2026-49390 |
| Severity | Low |
| Disclosure Date | 2026/05/30 |
| Affected Versions | 3.0.0 - 4.4.3 |
| Summary | The server quantum configuration option is parsed without enforcing the documented range |
Description
The server quantum option in afp.conf is not range-validated during configuration parsing. Although the manual states that out-of-range values fall back to the default, the parser can accept invalid values and pass them into afpd startup.
An administrator-supplied out-of-range value may cause afpd to abort during startup or behave unpredictably until the configuration is corrected and the daemon is restarted. This is an administrator-misconfiguration denial of service and is not remotely triggerable over AFP.
Patch Availability
Apply CVE-2026-49390.patch to a Netatalk 4.4.3 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L (3.1)
Workaround
Leave server quantum unset or configure it within the documented valid range.
Credits
Vulnerability reported by:
Michalis Vasileiadis (@vmihalis)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
