Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions.
AnalysisAI
TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file operations to remote manipulation, enabling limited data modification under constrained timing conditions. Unauthenticated network attackers (PR:N, AV:N per CVSS) must win a precise race window, making this high-complexity and low-impact - CVSS scores it 3.7 (Low) with integrity-only consequences and no confidentiality or availability impact. No public exploit code exists and the vulnerability is not confirmed actively exploited in CISA KEV at time of analysis.
Technical ContextAI
Netatalk is an open-source AFP (Apple Filing Protocol) server enabling Unix/Linux systems to serve files to macOS clients. The vulnerable ad_flush function handles AppleDouble format metadata flushing - AppleDouble is the encoding Netatalk uses to store Mac-specific resource forks and Finder metadata alongside data files, and ad_flush is invoked during normal AFP file operations to persist this metadata. CWE-367 (TOCTOU Race Condition) defines the root cause: the function checks a file's state at one time (the 'check') and acts on it at a later time (the 'use'), creating a window in which the file system state can be altered by an external actor. Because ad_flush executes with root privileges, a successful race allows the privileged process to operate on an attacker-influenced file path rather than the intended target. The CPE string cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* carries no OS-specific qualifier, indicating the flaw spans all platforms running this software version range.
RemediationAI
Consult the vendor security advisory at https://netatalk.io/security/CVE-2026-7837 and upgrade Netatalk to the first release beyond 4.4.2 that addresses this CVE - an exact fixed version number was not independently confirmed from the provided input data, so administrators must verify the target upgrade version directly from the advisory before patching. If an immediate upgrade is operationally infeasible, restrict AFP service exposure to trusted internal network segments via firewall ACLs, eliminating the network attack vector at the cost of reduced remote macOS client accessibility. As a more aggressive workaround, disabling AppleDouble metadata support (if operationally acceptable) would remove the vulnerable ad_flush code path, but this will break Mac resource fork and Finder metadata compatibility for AFP clients. Organizations that no longer have active macOS AFP clients should evaluate whether Netatalk remains necessary and consider decommissioning the service entirely.
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th
Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi
A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis
Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (App
Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw
Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi
Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_S
Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to t
Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-seve
Information disclosure in Netatalk 3.0.0 through 4.4.2 stems from a dead bounds check (CWE-561) in the Spotlight RPC unm
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31245
GHSA-m59f-94xh-r8f7