Netatalk Security Advisory
| Subject | Heap out-of-bounds reads in Spotlight RPC unmarshalling |
|---|---|
| CVE ID# | CVE-2026-44066 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.1.0 - 4.4.2 |
| Summary | The Spotlight RPC unmarshaller does not receive or track the actual buffer length, enabling heap out-of-bounds reads |
Description
Spotlight RPC unmarshalling does not consistently enforce request buffer boundaries while processing client-controlled structure metadata. When Spotlight is enabled, an authenticated client may be able to crash the afpd child process, cause resource exhaustion, or expose adjacent heap data. Remote code execution is not evident from the reads alone.
The related dead bounds check described in CVE-2026-44057 is a contributing code-quality issue in the same area.
Patch Availability
Apply CVE-2026-44057,CVE-2026-44066.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L (7.1)
Workaround
Disable Spotlight indexing in afp.conf:
spotlight = no
This prevents the vulnerable code path from being reached entirely.
Credits
Vulnerability reported by:
@00redbeer
Independently discovered and reported by:
@TristanInSec
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
