Netatalk Security Advisory
| Subject | Heap buffer overflow in CNID daemon comm_rcv() |
|---|---|
| CVE ID# | CVE-2026-44050 |
| Severity | Critical |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.0.0 - 4.4.2 |
| Summary | The CNID daemon trusts a request-supplied name length and reads attacker-controlled data into a fixed-size name buffer |
Description
The CNID daemon trusts a client-controlled name length when receiving requests. A local client that can reach the CNID service may be able to overflow daemon memory and crash the service.
Patch Availability
Apply CVE-2026-44050.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9)
Workaround
Use the sqlite CNID backend instead of dbd.
cnid scheme = sqlite
If you absolutely must use the dbd backend, restrict access to AFP and local CNID daemon sockets to trusted users and hosts until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
