Skip to main content

Netatalk CVE-2026-44072

| EUVDEUVD-2026-31216 LOW
OS Command Injection (CWE-78)
2026-05-21 securin GHSA-hpgh-hjhq-qx82
3.0
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.0 LOW
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
CVSS changed
May 21, 2026 - 08:22 NVD
2.5 (LOW) 3.0 (LOW)
Analysis Generated
May 21, 2026 - 08:07 vuln.today

DescriptionCVE.org

In Netatalk 2.2.1 through 4.4.2, system() after failed chdir(). Fixed in 4.5.0.

AnalysisAI

OS command injection in Netatalk 2.2.1 through 4.4.2 arises from a code path that invokes system() after a failed chdir() call, classified under CWE-78. Exploitation requires local access with high privileges and high attack complexity, and yields only low-integrity and low-availability impact with no confidentiality exposure, reflected in the CVSS score of 2.5. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor-released fix is available in version 4.5.0.

Technical ContextAI

Netatalk is an open-source Unix/Linux implementation of the Apple Filing Protocol (AFP), enabling macOS-compatible file sharing. The affected component follows the pattern identified by CWE-78 (Improper Neutralization of Special Elements used in an OS Command): a system() call is executed subsequent to a failed chdir() operation without adequately accounting for the failure state. When chdir() fails - for example, because a target directory does not exist or permissions are denied - the code continues execution and invokes system() in an indeterminate working-directory context, potentially with unvalidated or attacker-influenced arguments. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* covering versions 2.2.1 through 4.4.2. The CVSS vector AV:L/AC:H/PR:H/UI:N/S:U constrains this to a local, high-complexity, high-privilege scenario with unchanged scope, meaning no cross-boundary privilege escalation is modeled.

RemediationAI

Upgrade Netatalk to version 4.5.0, which is the vendor-released patch that resolves this issue. Full details are available in the vendor security advisory at https://netatalk.io/security/CVE-2026-44072. Because exploitation requires local high-privilege access, environments where system() execution by the Netatalk process is already restricted through mandatory access control frameworks (such as SELinux or AppArmor) may have reduced exposure, though this does not substitute for patching. If immediate upgrade is not feasible, restricting local access to the Netatalk service account and auditing which users hold high privileges on AFP-serving hosts are reasonable interim measures. Disabling AFP sharing entirely on systems where it is not required eliminates the attack surface completely.

CVE-2018-1160 CRITICAL POC
9.8 Dec 20

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th

CVE-2022-45188 HIGH POC
7.8 Nov 12

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi

CVE-2023-42464 CRITICAL
9.8 Sep 20

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c

CVE-2022-22995 CRITICAL
9.8 Mar 25

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file

CVE-2021-31439 HIGH
8.8 May 21

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis

CVE-2026-44069 LOW
3.9 May 21

Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (App

CVE-2026-44071 LOW
3.7 May 21

Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw

CVE-2026-44074 LOW
3.7 May 21

Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi

CVE-2026-44075 LOW
3.7 May 21

Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_S

CVE-2026-7837 LOW
3.7 May 21

TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file o

CVE-2026-44070 LOW
3.1 May 21

Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to t

CVE-2026-7835 LOW
3.1 May 21

Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-seve

Share

CVE-2026-44072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy