Skip to main content

Netatalk EUVDEUVD-2026-31217

| CVE-2026-44070 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-21 securin GHSA-vmvv-qm72-v4fg
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:07 vuln.today

DescriptionCVE.org

In Netatalk 2.0.0 through 4.4.2, unbounded realloc in charset conversion. Fixed in 4.5.0.

AnalysisAI

Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to trigger excessive memory allocation, resulting in limited availability impact. The flaw is classified under CWE-770 (resource allocation without limits) and carries a low CVSS score of 3.1, reflecting constrained exploitability due to high attack complexity and required authentication. No public exploit code or active exploitation has been identified at time of analysis; a fix was released in version 4.5.0.

Technical ContextAI

Netatalk is an open-source implementation of Apple's AFP (Apple Filing Protocol) and related Apple networking services for Unix/Linux hosts, enabling macOS clients to mount and interact with remote file shares. The vulnerable code path lies in the charset conversion subsystem, which translates between character encodings (e.g., UTF-8, Mac Roman) during file name and metadata processing. The root cause is CWE-770: a realloc() call within this conversion routine lacks an upper bound on allocation size, meaning specially crafted input can cause the process to repeatedly expand a memory buffer without constraint. Over time or under sustained input, this exhausts available memory on the host, degrading or disrupting the AFP service. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* covering versions 2.0.0 through 4.4.2 per EUVD-2026-31217 and NVD data.

RemediationAI

The vendor-released patch is Netatalk 4.5.0. Administrators should upgrade from any version in the 2.0.0-4.4.2 range to 4.5.0 or later. The vendor advisory is available at https://netatalk.io/security/CVE-2026-44070. For environments where an immediate upgrade is not feasible, compensating controls include restricting AFP service access to trusted network segments via firewall rules (blocking TCP port 548), requiring strong authentication to limit the pool of users who can send charset-triggering input, and monitoring process memory usage of the netatalk daemon to detect abnormal growth and trigger automated restarts. These controls reduce exposure but do not eliminate the underlying flaw.

CVE-2018-1160 CRITICAL POC
9.8 Dec 20

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th

CVE-2022-45188 HIGH POC
7.8 Nov 12

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi

CVE-2023-42464 CRITICAL
9.8 Sep 20

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c

CVE-2022-22995 CRITICAL
9.8 Mar 25

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file

CVE-2021-31439 HIGH
8.8 May 21

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis

CVE-2026-44069 LOW
3.9 May 21

Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (App

CVE-2026-44071 LOW
3.7 May 21

Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw

CVE-2026-44074 LOW
3.7 May 21

Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi

CVE-2026-44075 LOW
3.7 May 21

Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_S

CVE-2026-7837 LOW
3.7 May 21

TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file o

CVE-2026-7835 LOW
3.1 May 21

Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-seve

CVE-2026-44057 LOW
3.1 May 21

Information disclosure in Netatalk 3.0.0 through 4.4.2 stems from a dead bounds check (CWE-561) in the Spotlight RPC unm

Share

EUVD-2026-31217 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy