Skip to main content

Netatalk CVE-2026-44069

| EUVDEUVD-2026-31218 LOW
Integer Underflow (CWE-191)
2026-05-21 securin GHSA-mgrr-xq8c-qfp2
3.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.9 LOW
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
CVSS changed
May 21, 2026 - 08:22 NVD
3.4 (LOW) 3.9 (LOW)
Analysis Generated
May 21, 2026 - 08:06 vuln.today

DescriptionCVE.org

In Netatalk 3.0.0 through 4.4.2, integer underflow in volxlate. Fixed in 4.5.0.

AnalysisAI

Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (Apple Filing Protocol) file server widely deployed on Linux/Unix systems serving macOS clients. Exploitation is constrained to local, highly-privileged attackers under high-complexity conditions, yielding only limited confidentiality, integrity, and availability impact (CVSS 3.4). No active exploitation is confirmed (not listed in CISA KEV), and no public exploit identified at time of analysis.

Technical ContextAI

Netatalk implements the Apple Filing Protocol, enabling Unix/Linux hosts to act as file servers for macOS clients. The vulnerable function, volxlate, is involved in AFP volume translation operations - mapping or transforming volume-related data structures. The root cause is CWE-191 (Integer Underflow): an arithmetic operation produces a result below the minimum representable value for the data type, which can corrupt internal state, cause out-of-bounds memory reads, or produce unexpected behavior in downstream logic. The affected software is identified by CPE cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* spanning versions 3.0.0 through 4.4.2. Despite the tags referencing 'Integer Overflow,' the CWE-191 classification confirms this is specifically an underflow condition, a subtype of integer wraparound errors.

RemediationAI

Upgrade to Netatalk 4.5.0, the vendor-released patch that resolves this integer underflow. The fix is confirmed by both the CVE description and the vendor advisory at https://netatalk.io/security/CVE-2026-44069. If immediate upgrade is not operationally feasible, restrict local system access to the Netatalk host to only explicitly authorized, trusted privileged accounts - this directly addresses the PR:H and AV:L prerequisites and eliminates the practical attack surface without requiring service disruption. Disabling AFP volumes served via volxlate on sensitive systems is an additional compensating control, though this would impact macOS client file-sharing functionality. Given the low CVSS score and high exploitation bar, this vulnerability should be addressed in the normal patch cycle rather than treated as an emergency.

CVE-2018-1160 CRITICAL POC
9.8 Dec 20

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th

CVE-2022-45188 HIGH POC
7.8 Nov 12

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi

CVE-2023-42464 CRITICAL
9.8 Sep 20

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c

CVE-2022-22995 CRITICAL
9.8 Mar 25

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file

CVE-2021-31439 HIGH
8.8 May 21

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis

CVE-2026-44071 LOW
3.7 May 21

Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw

CVE-2026-44074 LOW
3.7 May 21

Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi

CVE-2026-44075 LOW
3.7 May 21

Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_S

CVE-2026-7837 LOW
3.7 May 21

TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file o

CVE-2026-44070 LOW
3.1 May 21

Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to t

CVE-2026-7835 LOW
3.1 May 21

Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-seve

CVE-2026-44057 LOW
3.1 May 21

Information disclosure in Netatalk 3.0.0 through 4.4.2 stems from a dead bounds check (CWE-561) in the Spotlight RPC unm

Share

CVE-2026-44069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy