Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
In Netatalk 1.5.0 through 4.4.2, seteuid failure ignored in auth modules. Fixed in 4.5.0.
AnalysisAI
Privilege retention in Netatalk 1.5.0 through 4.4.2 results from auth modules silently ignoring failures of the seteuid() system call, allowing an authenticated network attacker to operate with unintended elevated privileges. When seteuid() fails-due to resource exhaustion, OS limits, or specific system configurations-the process continues execution under its original (higher) UID rather than the intended reduced privilege level, exposing file system objects or operations the user should not access. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV, but the vendor has confirmed the flaw and released a fix in version 4.5.0.
Technical ContextAI
Netatalk is an open-source AFP (Apple Filing Protocol) server widely used for macOS-to-Linux file sharing. The vulnerability maps to CWE-273 (Improper Check for Dropped Privileges): POSIX systems use seteuid() to temporarily lower a process's effective user ID before performing operations on behalf of a less-privileged user. If seteuid() fails-which can occur when the process has reached OS-imposed UID transition limits or encounters internal errors-correct code must abort or handle the error. Netatalk's auth modules fail to check the return value, so subsequent file or authentication operations execute under the original elevated UID instead of the caller's restricted UID. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* spanning versions 1.5.0 to 4.4.2, as confirmed by ENISA EUVD-2026-31220.
RemediationAI
Upgrade Netatalk to version 4.5.0, which addresses the seteuid return-value check in auth modules, per the vendor advisory at https://netatalk.io/security/CVE-2026-44073. This is the only confirmed remediation. If immediate upgrade is not possible, restrict AFP server access to fully trusted users only by enforcing network-level controls (firewall rules limiting AFP port 548 to known, trusted IP ranges), which reduces the pool of potential authenticated attackers who could trigger the condition. Additionally, consider disabling Netatalk services on hosts where AFP sharing is not operationally required. Note that network restriction does not eliminate the vulnerability-it only narrows the attacker population; it does not prevent a legitimate but malicious authenticated user from attempting exploitation.
Same weakness CWE-273 – Improper Check for Dropped Privileges
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31220
GHSA-pc7p-8fgv-4x9c