Skip to main content

Netatalk CVE-2026-44062

| EUVDEUVD-2026-31239 HIGH
Out-of-bounds Write (CWE-787)
2026-05-21 securin GHSA-3q98-qc2j-57pp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:03 vuln.today

DescriptionCVE.org

In Netatalk 2.0.4 through 4.4.2, missing o_len bounds check in pull_charset_flags(). Fixed in 4.4.3.

AnalysisAI

Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 stems from a missing o_len bounds check in the pull_charset_flags() character-set conversion routine, enabling remote attackers with low privileges to corrupt memory and potentially compromise confidentiality, integrity, and availability of the AFP file server. The flaw is addressed in Netatalk 4.4.3, and no public exploit has been identified at time of analysis.

Technical ContextAI

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP) suite, widely deployed on Linux/BSD systems (including NAS appliances) to provide file and print services to macOS clients. The vulnerable function pull_charset_flags() is part of Netatalk's Unicode/charset conversion layer, which translates between AFP's UTF-16 representations and host-side encodings; the missing o_len (output length) bounds check is a classic CWE-787 out-of-bounds write, where the routine writes converted bytes into a destination buffer without verifying remaining capacity. CPE data confirms the affected product as cpe:2.3:a:netatalk:netatalk across all versions in the 2.0.4-4.4.2 range, indicating a long-lived defect spanning multiple major releases of the codebase.

RemediationAI

Upgrade to Netatalk 4.4.3 or later, which contains the vendor-released patch adding the missing o_len bounds check in pull_charset_flags(); details are published at https://netatalk.io/security/CVE-2026-44062. For appliances or distributions where 4.4.3 is not yet packaged, compensating controls include disabling the afpd service entirely where AFP is no longer required (Apple has moved macOS clients to SMB by default since macOS 10.9), restricting AFP TCP port 548 to trusted management VLANs at the firewall, and tightening authentication by disabling guest/anonymous AFP access in afp.conf so that the PR:L precondition cannot be satisfied by unauthenticated attackers; the trade-off is loss of file-sharing functionality for legitimate macOS clients still relying on AFP.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

CVE-2026-44062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy