CVE-2026-44075
Missing Break in DSI Session Handling in Netatalk
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: securin
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netatalk | netatalk | From 1.5.0 (inc) to 4.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-484 | The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is caused by a missing break statement in the DSI OpenSession processing code of Netatalk versions 1.5.0 through 4.4.2. Specifically, in the DSIOPT_ATTNQUANT switch case, the absence of a break causes the execution to fall through into the DSIOPT_SERVQUANT case unintentionally. This leads to improper handling of session options.
As a result, a remote attacker can exploit this flaw by sending specially crafted DSI session options, which may cause a minor disruption of the service.
How can this vulnerability impact me? :
The impact of this vulnerability is limited to a minor service disruption. A remote attacker could exploit the flaw to cause the Netatalk service to behave unexpectedly or become temporarily unavailable.
There is no indication that this vulnerability allows for data compromise, privilege escalation, or other severe impacts.