These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-44075 is a low-severity network-reachable session-handling flaw in Netatalk's DSI OpenSession path. A missing break statement allows the DSIOPT_ATTNQUANT case to fall through into DSIOPT_SERVQUANT, which can lead to unintended session option handling. The documented impact is limited to minor service disruption, but administrators should treat it as a real availability issue on exposed Netatalk deployments.
CVE-2026-44074 is a low-severity Netatalk issue where multiple errno values are combined with bitwise OR instead of being handled as distinct errors. When more than one error condition occurs at the same time, the resulting incorrect error code can send execution into the wrong error-handling path. The practical impact described in the source is a minor service disruption caused by remote-triggered condit [truncated]
CVE-2026-44071 is a low-severity issue in Netatalk builds from 3.1.2 through 4.4.2 that are compiled without FORTIFY_SOURCE. The missing hardening removes built-in runtime checks that can catch certain buffer overflows before they become memory errors. According to the published description, a remote attacker may be able to trigger a minor denial of service in affected builds.
CVE-2026-7835 is a low-severity Netatalk issue involving a format string argument mismatch. According to the public advisory and NVD record, a remote authenticated attacker can send crafted input that triggers incorrect format string handling and may cause a minor denial of service. The CVE was published on 2026-05-21, and the NVD entry classifies the issue as CWE-134 with a CVSS 3.1 vector of AV:N/AC:H/P [truncated]
CVE-2026-44072 is a low-severity Netatalk issue in which a failed chdir() is not handled safely before system() is called. Under the affected conditions, a local privileged user may be able to trigger unintended commands or a limited service disruption. The NVD record cites CWE-78 and assigns a local, high-privilege attack profile, which matches the error-path and privilege requirements described in the advisory.
CVE-2026-44069 is a low-severity integer underflow in Netatalk's volxlate function. A local privileged user who can supply crafted volume translation input may obtain limited information, modify limited data, or cause minor service disruption. The issue affects Netatalk 3.0.0 through 4.4.2 and is mapped to CWE-191.
CVE-2026-44068 describes an incomplete sanitization issue in Netatalk extended attribute (EA) path handling. A remote authenticated attacker can use crafted EA names to write to files outside the intended metadata namespace. NVD rates the issue HIGH with CVSS 3.1 7.6, and the recorded weakness is CWE-22 (path traversal).
CVE-2026-44067 describes a heap over-read in Netatalk extended attribute (EA) header parsing. According to the published description, an authenticated remote attacker who can supply crafted EA data may be able to obtain limited information or cause a minor service disruption. The issue is rated CVSS 4.2 (MEDIUM) and was publicly published on 2026-05-21.
CVE-2026-44066 is a high-severity weakness in Netatalk’s Spotlight RPC unmarshalling path. The issue is described as multiple heap out-of-bounds reads affecting Netatalk 3.1.0 through 4.4.2, and it can let a remote authenticated attacker obtain sensitive information or cause a minor service disruption.
CVE-2026-44062 is a high-severity vulnerability reported in Netatalk-related advisory material and indexed by NVD on 2026-05-21. The issue is described as a missing output length bounds check in pull_charset_flags(), which can let a remote authenticated attacker execute arbitrary code or trigger a denial of service using crafted character set data. NVD lists the weakness as CWE-787 and assigns a CVSS 3.1 [truncated]
CVE-2026-44060 is a high-severity denial-of-service issue in Netatalk. A crafted DSI write request can trigger an integer underflow in dsi_writeinit(), allowing a remote unauthenticated attacker to disrupt service. The published CVSS vector reflects a network-reachable, no-authentication attack with availability impact only.
CVE-2026-44059 describes a race condition in Netatalk's privilege toggle mechanism. In affected Netatalk 2.2.5 through 4.4.2 deployments, a local attacker with limited privileges may be able to obtain limited information, modify limited data, or trigger a minor service disruption. The NVD record classifies the issue as CWE-362 and assigns CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L.
CVE-2026-44058 is a high-severity authentication bypass in Netatalk 2.2.2 through 4.4.2. According to the published CVE description, a remote privileged user can authenticate as an arbitrary user through the admin auth user mechanism. The NVD record assigns CVSS 3.1: 7.2 (High) with network attack vector, low attack complexity, high privileges required, no user interaction, and high impact to confidential [truncated]
CVE-2026-44056 describes a stack-based buffer overflow in Netatalk's desktop.c. According to the published advisory data, versions 1.3 through 4.2.2 are affected, and a remote authenticated attacker could trigger denial of service, limited information exposure, or limited data modification. NVD assigns a CVSS 3.1 base score of 6.4 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H) and maps the issue to CWE-121.
CVE-2026-44054 is a medium-severity denial-of-service issue in Netatalk. The problem is that AFP session tokens are derived from predictable process IDs, which can let a remote authenticated attacker abuse the reconnect mechanism and disrupt service. NVD assigns the issue CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and maps it to CWE-330 (Use of Insufficiently Random Values).
CVE-2026-44053 is a high-severity authentication weakness in Netatalk’s DHCAST128 UAM. According to the CVE description, versions 1.5.0 through 4.2.2 use a broken cryptographic algorithm that can let a remote attacker obtain authentication credentials or impersonate a user through cryptanalytic attack. The NVD record rates the issue 7.4/High with network attack vector and no user interaction required.
CVE-2026-44051 is a high-severity improper link resolution issue reported for Netatalk 3.0.2 through 4.4.2. According to the official NVD entry and the Netatalk security advisory, a remote authenticated attacker may be able to create attacker-controlled symlinks that lead to arbitrary file read or arbitrary file overwrite outcomes. The issue is categorized as CWE-59 and carries a CVSS v3.1 score of 8.1 (A [truncated]
CVE-2026-44050 is a critical heap-based buffer overflow in Netatalk’s CNID daemon comm_rcv() function. According to the published NVD record and vendor reference, a remote authenticated attacker can potentially execute arbitrary code with escalated privileges or trigger a denial of service on affected Netatalk versions 2.0.0 through 4.4.2.
CVE-2026-44049 is a high-severity memory-corruption issue in Netatalk. According to the CVE description and NVD record, improper null termination in convert_charset() can lead to an out-of-bounds write when processing crafted character data. The impact is remote, but requires authentication. Successful exploitation could result in arbitrary code execution or denial of service. The CVE was published on 202 [truncated]
CVE-2026-44048 is a high-severity issue in Netatalk affecting versions 2.0.4 through 4.4.2. According to the CVE description, a stack-based buffer overflow caused by UCS-2 type confusion in convert_charset() can let a remote authenticated attacker execute arbitrary code or trigger a denial of service. The NVD record lists this as CVSS 3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps it to CWE-121.
CVE-2026-44047 is a high-severity SQL injection issue in Netatalk’s MySQL CNID backend. According to the CVE record, a remote authenticated attacker could obtain unauthorized data access, modify data, or trigger denial of service in affected Netatalk releases 3.1.0 through 4.4.2. The issue was published on 2026-05-21 and is supported by an official Netatalk security reference.