Description
An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request.
Published: 2026-05-21
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds read in the ASP session ID handling of Netatalk 1.3 through 4.4.2. By sending a crafted ASP request with a session ID that exceeds the expected bounds, an attacker can read adjacent memory and thus obtain limited information or trigger a denial of service. This represents the classic out-of-bounds read weakness identified as CWE‑125. The consequences are potential information disclosure or service disruption, but it does not lead to arbitrary code execution.

Affected Systems

Affected products include Netatalk 1.3 and all releases through 4.4.2. The vulnerability resides in the ASP session handling component of Netatalk, which is used to provide file‑sharing services over the network. Any deployment of Netatalk within this version range is potentially impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. No EPSS data is available to gauge current exploitation probability. The flaw is not listed in CISA KEV. The likely attack vector is remote, as ASP session IDs are transmitted by clients. Exploitation would involve sending a crafted ASP request with a session ID that exceeds expected bounds, allowing the attacker to read adjacent memory and extract limited information or trigger a denial of service. Exploitation requires the attacker to directly control the session identifier supplied to the Netatalk server, implying a need for network access to the affected instance.

Generated by OpenCVE AI on May 21, 2026 at 10:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netatalk to version 4.4.3 or later which contains the fix.
  • Restart the Netatalk service after applying the update.
  • If an upgrade cannot be performed immediately, restrict external network access to the Netatalk server to trusted hosts only.

Generated by OpenCVE AI on May 21, 2026 at 10:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-62801 netatalk security update
History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 1.3 through 4.4.2, asp session id out-of-bounds access. Fixed in 4.4.3. An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 1.3 through 4.4.2, asp session id out-of-bounds access. Fixed in 4.4.3.
Title ASP session ID out-of-bounds access
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:38.117Z

Reserved: 2026-05-05T07:25:12.313Z

Link: CVE-2026-44064

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:22.020

Modified: 2026-05-21T09:16:28.647

Link: CVE-2026-44064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T10:45:08Z

Weaknesses