Skip to main content

Netatalk CVE-2026-44068

| EUVDEUVD-2026-31215 HIGH
Path Traversal (CWE-22)
2026-05-21 securin GHSA-qv8r-66p7-3q68
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:05 vuln.today

DescriptionCVE.org

In Netatalk 2.1.0 through 4.4.2, ea path traversal via incomplete sanitization. Fixed in 4.4.3.

AnalysisAI

Path traversal via extended attribute (ea) handling in Netatalk 2.1.0 through 4.4.2 allows authenticated remote attackers to access or modify files outside intended directories on AFP file shares. The flaw stems from incomplete input sanitization on the ea code path and is resolved in 4.4.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP) that lets Unix/Linux systems serve files to macOS clients, commonly deployed on NAS appliances (Synology, QNAP, TrueNAS, Buffalo) and Time Machine backup targets. The defect is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and lives in the extended-attribute (ea) handling routine, where sanitization of attacker-supplied path components is incomplete and traversal sequences are not fully stripped. Because AFP exposes per-file metadata and resource forks via ea operations, an attacker who can interact with an authenticated AFP session can manipulate ea pathname components to escape the share root. The CPE cpe:2.3:a:netatalk:netatalk covers all 2.1.0-4.4.2 builds, which spans most distributions and embedded NAS firmware shipped over the last decade.

RemediationAI

Vendor-released patch: Netatalk 4.4.3 - upgrade all Netatalk installations to 4.4.3 or later as referenced in the advisory at https://netatalk.io/security/CVE-2026-44068. NAS appliance operators should track the vendor firmware update channel for a backport, since embedded builds typically lag upstream. Where immediate patching is not possible, compensating controls include disabling the AFP service entirely on hosts that can migrate clients to SMB (afpd off in netatalk.conf or systemctl disable netatalk; side effect: Time Machine over AFP and legacy macOS clients will stop working), restricting AFP TCP port 548 at the network edge and host firewall to known macOS endpoints (side effect: breaks roaming/VPN clients), and tightening per-share user mapping to remove guest and low-privilege accounts so the PR:L precondition cannot be met (side effect: existing low-privileged users lose AFP access). Disabling extended-attribute / Spotlight/EA support per share in AppleVolumes.default (ea:none) may reduce the attack surface for the specific ea code path but breaks resource-fork and metadata fidelity for macOS clients.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

CVE-2026-44068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy