What this actually is.
Technical background, root cause, and affected surface.
ASP (AppleTalk Session Protocol) session ID handling in Netatalk does not validate the session ID index before array access. A crafted ASP request with an out-of-range session ID causes an out-of-bounds read, potentially leaking process memory or crashing the daemon.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 7.1
- Status
- Published
- CWE
- CWE-125: Out-of-bounds Read
- Vector
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
libatalk/asp/asp_open.c or afpd/asp.c: session ID used as array index without bounds validation
Root cause: Missing bounds check on ASP session ID before use as array index
When does this fire?
All conditions must be true for the exploit to succeed.
Adjacent network attacker sends an ASP request with an out-of-range session ID value
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Process memory disclosure or daemon crash (DoS)
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds session ID bounds validation before array access.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.