What this actually is.
Technical background, root cause, and affected surface.
Netatalk generates AFP session reconnect tokens using predictable values derived from process IDs. An authenticated attacker can predict valid session tokens and use them to disrupt active AFP sessions, causing a denial of service via the reconnect mechanism.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 6.5
- Status
- Published
- CWE
- CWE-330: Use of Insufficiently Random Values
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/afp_dsi.c: session token generation uses getpid() or similarly predictable seed without cryptographic randomness
Root cause: Session token generation uses predictable PID-based values instead of a cryptographically secure random number generator
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client enumerates process ID space to predict session tokens of other connected clients
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Session disruption and denial of service for legitimate AFP clients; potential session hijacking
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which uses a CSPRNG for session token generation.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.