Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authenticated attacker to obtain limited information via crafted Spotlight RPC requests.
AnalysisAI
Information disclosure in Netatalk 3.0.0 through 4.4.2 stems from a dead bounds check (CWE-561) in the Spotlight RPC unmarshaller - code intended to enforce input boundaries is logically unreachable, leaving RPC input processing without effective size validation. Remote attackers who hold at least low-level credentials can submit crafted Spotlight RPC requests to extract limited confidential information from the service. No public exploit has been identified at time of analysis, and the CVSS 3.1 score correctly reflects the constrained real-world impact: high attack complexity, authentication required, and confidentiality-only impact with no integrity or availability consequence.
Technical ContextAI
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP) for Unix-like systems, providing macOS-compatible file sharing including Spotlight-based remote search via its RPC subsystem. The Spotlight RPC unmarshaller is responsible for parsing and validating incoming search requests from macOS clients. CWE-561 (Dead Code) identifies the root cause: bounds-checking logic exists in the source code but sits behind a conditional that can never evaluate to true given prior code paths, rendering the check permanently unreachable at runtime. The practical result is that the unmarshaller processes attacker-supplied RPC data without the intended boundary enforcement. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* covering the version range 3.0.0 through 4.4.2 as confirmed by ENISA EUVD-2026-31243.
RemediationAI
Consult the vendor advisory at https://netatalk.io/security/CVE-2026-44057 for the official patch; an exact fixed version number was not independently confirmed in the available intelligence data, so administrators should check the advisory directly for the minimum safe version. As a compensating control while patching is planned, disable Spotlight RPC functionality in Netatalk if macOS Spotlight search integration over network shares is not operationally required - this eliminates the vulnerable code path entirely, with the trade-off of losing macOS Finder search capability against AFP shares. Additionally, restrict AFP service access (TCP port 548 and associated Spotlight RPC ports) at the network perimeter to only authorized, trusted hosts and authenticated user accounts, reducing exposure to the PR:L authentication threshold. Monitoring for anomalous or high-volume Spotlight RPC request patterns may help detect exploitation attempts given the AC:H requirement for crafted payloads.
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), th
Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl fi
A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. Rated c
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of file
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology Dis
Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (App
Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping aw
Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor servi
Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_S
TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file o
Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to t
Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-seve
Same weakness CWE-561 – Dead Code
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31243
GHSA-w95q-jvf4-8fvp