Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
In Netatalk 3.1.0 through 4.4.2, heap out-of-bounds reads in spotlight rpc unmarshalling. Fixed in 4.4.3.
AnalysisAI
Heap out-of-bounds read in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to disclose sensitive memory contents and potentially crash the daemon by sending malformed Spotlight RPC requests. The flaw stems from improper bounds checking during Spotlight RPC unmarshalling and is fixed in version 4.4.3. No public exploit identified at time of analysis, and there is no evidence of active exploitation in CISA KEV.
Technical ContextAI
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP) used to provide file-sharing services to macOS clients on Linux/BSD/Unix servers, commonly deployed on NAS appliances (Synology, QNAP, TrueNAS) and Time Machine backup targets. The vulnerable code path resides in the Spotlight RPC subsystem, which Netatalk exposes to allow macOS clients to perform server-side metadata searches via the same AFP/DSI session. CWE-125 (Out-of-bounds Read) here describes a parser that consumes attacker-controlled length or offset fields from a serialized Spotlight RPC message and reads heap memory past the bounds of the intended buffer, leaking adjacent heap contents or triggering a segmentation fault. The affected CPE is cpe:2.3:a:netatalk:netatalk for all versions in the 3.1.0-4.4.2 range.
RemediationAI
Vendor-released patch: Netatalk 4.4.3 - upgrade to this version or later, per the upstream advisory at https://netatalk.io/security/CVE-2026-44066. On appliances where you cannot immediately install 4.4.3 (NAS firmware that bundles Netatalk), the most effective compensating control is to disable Spotlight indexing in afp.conf by removing 'spotlight = yes' from the [Global] or per-volume sections and restarting afpd; this eliminates the vulnerable RPC handler at the cost of losing server-side macOS search. Where Spotlight cannot be disabled, restrict afpd's TCP port 548 to trusted client subnets via firewall rules and require strong AFP authentication to raise the bar against the PR:L precondition, accepting that any compromised user account is still sufficient to trigger the bug. Monitor vendor firmware channels (Synology, QNAP, TrueNAS, Debian/Ubuntu security trackers) for backported fixes referencing CVE-2026-44066.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31212
GHSA-93hj-5v8r-h26w