Skip to main content

Netatalk CVE-2026-7835

| EUVDEUVD-2026-31223 LOW
Use of Externally-Controlled Format String (CWE-134)
2026-05-21 securin GHSA-3wp4-f8xr-849x
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:07 vuln.today

DescriptionCVE.org

In Netatalk 3.0.3 through 4.4.2, format string argument mismatch. Fixed in 4.5.0.

AnalysisAI

Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-severity availability disruption, with a secondary reporter-assessed potential for memory content disclosure. The root cause is CWE-134 (Use of Externally-Controlled Format String), a class known to enable stack and heap memory leakage via injected format specifiers - a risk flagged by securin's 'Information Disclosure' tag that is not fully reflected in the CVSS vector (C:N). No public exploit identified at time of analysis; vendor-released patch is available in version 4.5.0.

Technical ContextAI

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), enabling Unix and Linux systems to serve files to Apple clients over a network. CWE-134 (Use of Externally-Controlled Format String) arises when user-supplied data is passed directly as the format string argument to functions such as printf(), syslog(), or snprintf() rather than as a data argument - for example, printf(user_input) instead of printf('%s', user_input). This allows an attacker to inject format specifiers such as %x or %s to read from process memory, or %n to write to arbitrary addresses. The CPE string cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* covers the full Netatalk application stack. EUVD-2026-31223 independently corroborates the affected version range as 3.0.3 through 4.4.2 inclusive.

RemediationAI

Upgrade Netatalk to version 4.5.0, the vendor-confirmed fixed release per the CVE description and the official advisory at https://netatalk.io/security/CVE-2026-7835. If an immediate upgrade is not operationally feasible, restrict AFP service access to explicitly trusted, authenticated users and enforce network-level controls blocking TCP port 548 from untrusted segments - this reduces the attack surface given the AC:H and PR:L requirements, though it will interrupt legitimate Apple client file-sharing connectivity. Additionally, auditing which users hold AFP credentials and enforcing least-privilege access limits the pool of potential authenticated attackers. These compensating controls do not eliminate the vulnerability and should be treated as temporary measures only pending the upgrade to 4.5.0.

CVE-2018-1160 CRITICAL POC
9.8 Dec 20

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th

CVE-2022-45188 HIGH POC
7.8 Nov 12

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi

CVE-2023-42464 CRITICAL
9.8 Sep 20

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c

CVE-2022-22995 CRITICAL
9.8 Mar 25

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file

CVE-2021-31439 HIGH
8.8 May 21

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis

CVE-2026-44069 LOW
3.9 May 21

Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (App

CVE-2026-44071 LOW
3.7 May 21

Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw

CVE-2026-44074 LOW
3.7 May 21

Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi

CVE-2026-44075 LOW
3.7 May 21

Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_S

CVE-2026-7837 LOW
3.7 May 21

TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file o

CVE-2026-44070 LOW
3.1 May 21

Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to t

CVE-2026-44057 LOW
3.1 May 21

Information disclosure in Netatalk 3.0.0 through 4.4.2 stems from a dead bounds check (CWE-561) in the Spotlight RPC unm

Share

CVE-2026-7835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy