Description
A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session option handling that may allow a remote attacker to cause a minor service disruption via crafted DSI session options.
Published: 2026-05-21
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing break statement in the DSI OpenSession processing of Netatalk 1.5.0 through 4.4.2. The DSIOPT_ATTNQUANT case falls through to DSIOPT_SERVQUANT, enabling unintended session option handling. An attacker that can send crafted DSI session options may force the daemon to misinterpret options and cause a minor service disruption. The weakness is captured as CWE‑484, Incorrect Open‑Ended Input.

Affected Systems

Affected vendor: Netatalk. Affected product: Netatalk server software. Versions 1.5.0 through 4.4.2 are impacted. Customers should verify the installed version falls within this range.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a relatively low exploitation likelihood. An attacker would need remote access to the Netatalk service and ability to send malformed DSI session options, implying the attack vector is remote network. Successful exploitation could lead to a service disruption but not to code execution or data compromise.

Generated by OpenCVE AI on May 21, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if Netatalk vendor has released an update that addresses this issue, and apply it when available.
  • If an update cannot be applied immediately, restrict traffic to the Netatalk service to trusted IPs or implement firewall rules to block malformed DSI session options.
  • Enable detailed logging of DSI session option errors and monitor for unexpected service restarts or downtime to detect exploitation attempts.

Generated by OpenCVE AI on May 21, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session option handling that may allow a remote attacker to cause a minor service disruption via crafted DSI session options.
Title Missing break in DSI OpenSession
Weaknesses CWE-484
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T08:23:44.721Z

Reserved: 2026-05-05T07:25:20.197Z

Link: CVE-2026-44075

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T09:16:29.770

Modified: 2026-05-21T09:16:29.770

Link: CVE-2026-44075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:00:11Z

Weaknesses