Netatalk Security Advisory
| Subject | Integer underflow to heap OOB read |
|---|---|
| CVE ID# | CVE-2026-45355 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.1.0 - 4.4.2 |
| Summary | An attacker-controlled value in Spotlight RPC string unmarshalling causes a signed integer underflow that triggers a heap out-of-bounds read |
Description
Spotlight RPC string unmarshalling can miscalculate a client-controlled string length and read beyond the intended request buffer. A low-privilege authenticated user may be able to disclose heap contents or crash the afpd child process when Spotlight is enabled.
Patch Availability
Apply CVE-2026-45355.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L (7.1)
Workaround
Disable Spotlight indexing in afp.conf:
spotlight = no
This prevents the vulnerable code path from being reached entirely.
Credits
Vulnerability reported by:
@TristanInSec
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
