Skip to main content

Netatalk CVE-2026-44050

| EUVDEUVD-2026-31229 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-05-21 securin GHSA-8f3j-jffj-vg2m
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:00 vuln.today

DescriptionCVE.org

In Netatalk 2.0.0 through 4.4.2, heap buffer overflow in cnid daemon comm_rcv(). Fixed in 4.4.3.

AnalysisAI

Heap buffer overflow in the Netatalk cnid_metad daemon's comm_rcv() function allows remote attackers with low-level privileges to corrupt memory across versions 2.0.0 through 4.4.2. Given the CVSS 9.9 score with scope change and high impact across confidentiality, integrity, and availability, successful exploitation likely leads to code execution in the daemon's context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP) suite, allowing Unix-like systems to act as file servers for Apple clients. The vulnerable component is the cnid_metad daemon, which manages Catalog Node ID (CNID) databases used to maintain persistent file identifiers across AFP sessions. The flaw is classified as CWE-122 (Heap-based Buffer Overflow) and occurs in comm_rcv(), the inter-process communication receive routine, where attacker-controlled input is written into a heap buffer without adequate length validation. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:*, spanning every release from 2.0.0 through 4.4.2.

RemediationAI

Vendor-released patch: Netatalk 4.4.3, which contains the fix for comm_rcv() in the cnid_metad daemon - upgrade to this version or later as documented at https://netatalk.io/security/CVE-2026-44050. For appliance users (Synology, QNAP, etc.) where direct upgrade is not possible, monitor the vendor for a firmware update that incorporates 4.4.3 and apply it as soon as available. If immediate patching is not feasible, compensating controls include disabling the AFP service entirely (afpd and cnid_metad) where SMB or NFS can substitute, restricting AFP TCP port 548 to trusted client subnets at the network firewall, and removing untrusted user accounts from any AFP-enabled server since exploitation requires the low-privilege foothold indicated by PR:L. Trade-off: disabling AFP breaks legacy Mac client file sharing, and network restrictions do not protect against authenticated internal users.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

CVE-2026-44050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy