Netatalk Weak Cryptography in DHCAST128 UAM Vulnerability

A vulnerability exists in Netatalk versions 1.5.0 through 4.2.2, where the DHCAST128 authentication method employs weak cryptography. This vulnerability arises from the use of a 128-bit Diffie-Hellman prime, which is considered outdated and insecure. Exploitation requires a favorable network position, legacy negotiation conditions, and specialized effort. It is recommended to disable this User Authentication Method (UAM) and opt for stronger alternatives.

Impact

The vulnerability allows for the use of weak cryptographic practices in authentication, potentially leading to unauthorized access or manipulation of data.

Remediation

Users can upgrade to Netatalk version 4.5.0 or later, which includes the necessary patch. Alternatively, version 4.4.2 can be patched with the CVE-2026-44053.patch. The Netatalk team advises against proactively applying the patch to existing deployments due to the low practical exploitability.