Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
In Netatalk 2.1.0 through 4.4.2, ea path traversal via incomplete sanitization. Fixed in 4.4.3.
AnalysisAI
Path traversal via extended attribute (ea) handling in Netatalk 2.1.0 through 4.4.2 allows authenticated remote attackers to access or modify files outside intended directories on AFP file shares. The flaw stems from incomplete input sanitization on the ea code path and is resolved in 4.4.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP) that lets Unix/Linux systems serve files to macOS clients, commonly deployed on NAS appliances (Synology, QNAP, TrueNAS, Buffalo) and Time Machine backup targets. The defect is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and lives in the extended-attribute (ea) handling routine, where sanitization of attacker-supplied path components is incomplete and traversal sequences are not fully stripped. Because AFP exposes per-file metadata and resource forks via ea operations, an attacker who can interact with an authenticated AFP session can manipulate ea pathname components to escape the share root. The CPE cpe:2.3:a:netatalk:netatalk covers all 2.1.0-4.4.2 builds, which spans most distributions and embedded NAS firmware shipped over the last decade.
RemediationAI
Vendor-released patch: Netatalk 4.4.3 - upgrade all Netatalk installations to 4.4.3 or later as referenced in the advisory at https://netatalk.io/security/CVE-2026-44068. NAS appliance operators should track the vendor firmware update channel for a backport, since embedded builds typically lag upstream. Where immediate patching is not possible, compensating controls include disabling the AFP service entirely on hosts that can migrate clients to SMB (afpd off in netatalk.conf or systemctl disable netatalk; side effect: Time Machine over AFP and legacy macOS clients will stop working), restricting AFP TCP port 548 at the network edge and host firewall to known macOS endpoints (side effect: breaks roaming/VPN clients), and tightening per-share user mapping to remove guest and low-privilege accounts so the PR:L precondition cannot be met (side effect: existing low-privileged users lose AFP access). Disabling extended-attribute / Spotlight/EA support per share in AppleVolumes.default (ea:none) may reduce the attack surface for the specific ea code path but breaks resource-fork and metadata fidelity for macOS clients.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31215
GHSA-qv8r-66p7-3q68