CVE-2026-44075 Netatalk CVE debrief

Who should care

Administrators and operators running Netatalk services, especially systems that accept remote DSI session setup traffic. Network and storage teams should review exposure, because the issue is triggered remotely through crafted session options.

Technical summary

The flaw is a switch-case fallthrough in DSI OpenSession processing. When DSIOPT_ATTNQUANT is handled, execution can continue into DSIOPT_SERVQUANT because a break is missing. That can cause the service to process session options incorrectly and destabilize the session setup path. NVD lists the issue with CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L and CWE-484 (Omitted Break Statement in Switch). The affected range in the source summary is Netatalk 1.5.0 through 4.4.2.

Defensive priority

Low

Recommended defensive actions

• Identify whether any exposed systems are running Netatalk versions 1.5.0 through 4.4.2.
• Review the linked Netatalk advisory for vendor guidance and upgrade guidance.
• Apply the vendor fix or move to a version newer than the affected range once validated against the advisory.
• Limit network exposure of Netatalk services to trusted hosts where practical.
• Monitor for unexpected DSI session errors, disconnects, or other signs of session setup instability.

Evidence notes

The NVD record for CVE-2026-44075 was published on 2026-05-21 and is marked Received. It cites a Netatalk security advisory URL and maps the issue to CWE-484 with CVSS 3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The supplied description states that a missing break in DSI OpenSession processing causes DSIOPT_ATTNQUANT to fall through into DSIOPT_SERVQUANT, allowing crafted session options to cause minor service disruption. Vendor attribution in the source metadata is marked low-confidence and needs review, so Netatalk should be treated as the referenced product/project from the advisory rather than as a fully confirmed vendor field.

Official resources