Netatalk Security Advisory
| Subject | DSIWrite frame desynchronization |
|---|---|
| CVE ID# | CVE-2026-62319 |
| Severity | Medium |
| Disclosure Date | 2026/07/16 |
| Affected Versions | 1.5.0-4.5.0 |
| Summary | DSIWrite accepts a data offset larger than the declared frame payload |
Description
DSIWrite handling does not validate that the data offset is within the declared payload length. An authenticated client can consume bytes from the following frame, desynchronize the DSI stream, and control the next parsed frame.
Patch Availability
Apply CVE-2026-62319,CVE-2026-62320.patch to a Netatalk 4.5.0 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.1 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (5.3)
Workaround
No practical workaround is available beyond applying the patch; restrict AFP access to trusted users until patched.
Credits
Vulnerability reported by:
Alejandro Ramos aramosf@gmail.com
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.