 |
VOOZH | about |
|
VOOZH | about |
👁 GitHub Continuous Integration - Build Status
| Subject | ASP session ID out-of-bounds access |
|---|---|
| CVE ID# | CVE-2026-44064 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.3 - 4.4.2 |
| Summary | An attacker-controlled ASP session ID is used as an array index without validating it against the session table size |
Legacy ASP/DDP session handling can use an attacker-controlled session identifier without adequate validation. When ASP/DDP support is built and enabled, an unauthenticated network attacker may be able to crash the service; reliable code execution is less certain.
Apply CVE-2026-44064.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H (7.1)
Restrict legacy AppleTalk access to trusted networks until patched, or disable ASP/DDP support if not needed.
[Global]
appletalk = no
Vulnerability reported by:
Arjun Basnet from Securin
Patch developed by:
Daniel Markstedt of the Netatalk team
Go back to the Security Policy.
The source code of this website is licensed under the GNU General Public License 2.0.
