Inconsistent interpretation of HTTP requests in Netatalk - CVE-2026-45354
Published: July 12, 2026
Netatalk
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inconsistent interpretation of protocol fields in the DSI packet receiver when processing crafted DSI packets. A remote attacker can send a specially crafted DSIFUNC_CMD packet with a non-zero dsi_code value to cause a denial of service.
The issue can be triggered before authentication after completing DSIOpenSession, and leftover attacker-controlled bytes in the readahead buffer are interpreted as a subsequent DSI packet header.