Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
In Netatalk 2.2.1 through 4.4.2, system() after failed chdir(). Fixed in 4.5.0.
AnalysisAI
OS command injection in Netatalk 2.2.1 through 4.4.2 arises from a code path that invokes system() after a failed chdir() call, classified under CWE-78. Exploitation requires local access with high privileges and high attack complexity, and yields only low-integrity and low-availability impact with no confidentiality exposure, reflected in the CVSS score of 2.5. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor-released fix is available in version 4.5.0.
Technical ContextAI
Netatalk is an open-source Unix/Linux implementation of the Apple Filing Protocol (AFP), enabling macOS-compatible file sharing. The affected component follows the pattern identified by CWE-78 (Improper Neutralization of Special Elements used in an OS Command): a system() call is executed subsequent to a failed chdir() operation without adequately accounting for the failure state. When chdir() fails - for example, because a target directory does not exist or permissions are denied - the code continues execution and invokes system() in an indeterminate working-directory context, potentially with unvalidated or attacker-influenced arguments. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* covering versions 2.2.1 through 4.4.2. The CVSS vector AV:L/AC:H/PR:H/UI:N/S:U constrains this to a local, high-complexity, high-privilege scenario with unchanged scope, meaning no cross-boundary privilege escalation is modeled.
RemediationAI
Upgrade Netatalk to version 4.5.0, which is the vendor-released patch that resolves this issue. Full details are available in the vendor security advisory at https://netatalk.io/security/CVE-2026-44072. Because exploitation requires local high-privilege access, environments where system() execution by the Netatalk process is already restricted through mandatory access control frameworks (such as SELinux or AppArmor) may have reduced exposure, though this does not substitute for patching. If immediate upgrade is not feasible, restricting local access to the Netatalk service account and auditing which users hold high privileges on AFP-serving hosts are reasonable interim measures. Disabling AFP sharing entirely on systems where it is not required eliminates the attack surface completely.
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th
Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi
A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis
Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (App
Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw
Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi
Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_S
TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file o
Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to t
Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-seve
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31216
GHSA-hpgh-hjhq-qx82