Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
In Netatalk 2.0.0 through 4.4.2, off-by-two in papd lp_write(). Fixed in 4.5.0.
AnalysisAI
Off-by-two memory corruption in Netatalk's papd daemon affects all versions from 2.0.0 through 4.4.2, fixed in 4.5.0. The flaw resides in the lp_write() function of the Printer Access Protocol daemon, where an off-by-two boundary error can produce minor integrity and availability impact when triggered by an adjacent-network attacker. With a CVSS score of 3.7 and no public exploit or CISA KEV listing identified at time of analysis, this is a low-severity issue requiring both local network adjacency and high attack complexity, significantly limiting real-world exploitability.
Technical ContextAI
Netatalk is an open-source Unix/Linux implementation of the Apple Filing Protocol (AFP) and AppleTalk protocol suite, enabling macOS and classic Mac OS clients to connect to Unix servers for file and print sharing. The affected component is papd - the Printer Access Protocol (PAP) daemon - which handles print job data sent over AppleTalk or AFP-compatible networks. The vulnerability is classified as CWE-193 (Off-by-One Error); however, the CVE description explicitly states 'off-by-two,' indicating a two-element boundary miscalculation in the lp_write() function. This type of error typically results from an incorrect loop bound or buffer size calculation, allowing writes slightly beyond an intended buffer boundary. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* covering versions 2.0.0 through 4.4.2. The CWE-193 classification and 'off-by-two' description present a minor discrepancy - the root cause class is a buffer boundary miscalculation, but whether it is precisely one or two positions off should be verified against the vendor's patch diff.
RemediationAI
Vendor-released patch: Netatalk 4.5.0, which resolves the off-by-two error in papd's lp_write() function. Administrators should upgrade to 4.5.0 or later as the primary remediation; the vendor advisory is at https://netatalk.io/security/CVE-2026-44065. For deployments where an immediate upgrade is not feasible, a targeted compensating control is to disable the papd service entirely if printer sharing over AppleTalk/PAP is not required - this eliminates the attack surface with no functional impact on AFP file-sharing services. Additionally, because the attack vector is adjacent-network (AV:A), network segmentation that prevents untrusted hosts on the same LAN segment from reaching the papd port provides meaningful risk reduction. Firewall rules restricting access to AppleTalk/PAP ports (typically TCP 548 or the relevant papd listener) to known, authorized print clients are a practical second-layer control. Note that disabling papd affects only legacy Mac print-sharing functionality and has no impact on AFP file services.
Same weakness CWE-193 – Off-by-one Error
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31213
GHSA-p64q-3rgx-wmvr