Skip to main content

Netatalk CVE-2026-44059

| EUVDEUVD-2026-31233 MEDIUM
Race Condition (CWE-362)
2026-05-21 securin GHSA-87m3-6mhh-2gj7
4.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.5 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Severity Changed
May 21, 2026 - 08:22 NVD
LOW MEDIUM
CVSS changed
May 21, 2026 - 08:22 NVD
3.9 (LOW) 4.5 (MEDIUM)
Analysis Generated
May 21, 2026 - 08:05 vuln.today

DescriptionCVE.org

In Netatalk 2.2.5 through 4.4.2, non-reentrant privilege toggle. Fixed in 4.5.0.

AnalysisAI

Race condition in Netatalk's privilege toggle mechanism exposes AFP file server hosts to local privilege abuse across versions 2.2.5 through 4.4.2. The non-reentrant privilege toggle function can be exploited by a low-privileged local user who wins a narrow timing window to read, modify, or disrupt data at a transiently elevated privilege level. No public exploit code exists and the issue is not listed in CISA KEV; real-world risk is constrained by the requirement for local access and high attack complexity. Vendor-released patch is available in version 4.5.0.

Technical ContextAI

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), enabling Unix-like systems to serve files to macOS clients. The affected component is a privilege toggle routine - code that switches the process between elevated and normal privilege states (e.g., via seteuid/setuid calls) to perform operations requiring temporary elevation. CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) describes the root cause: the toggle function is not reentrant, meaning if two execution paths enter it simultaneously, one thread can observe or operate under an elevated privilege state intended only for the other. The CPE string cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* confirms all builds of the netatalk application package from 2.2.5 through 4.4.2 are affected, regardless of platform variant.

RemediationAI

Vendor-released patch: 4.5.0. Upgrade Netatalk to version 4.5.0 or later, as confirmed by the vendor advisory at https://netatalk.io/security/CVE-2026-44059. For systems that cannot be immediately patched, restrict shell and local system access to the Netatalk server host to only trusted, authorized users - this directly eliminates the PR:L requirement. As an additional compensating control, consider running the Netatalk daemon under a dedicated, minimally privileged service account to reduce the privilege delta exploitable via the race window; note this may require reconfiguring share permissions. Disabling AFP shares entirely and migrating to SMB (Samba) is a viable architectural mitigation for environments where AFP is not strictly required, though this has operational impact for macOS clients using legacy AFP mounts.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

CVE-2026-44059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy