Netatalk Security Advisory
| Subject | Integer underflow in Spotlight RPC count decrement |
|---|---|
| CVE ID# | CVE-2026-45356 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.1.0 - 4.4.2 |
| Summary | A crafted Spotlight RPC request can trigger an integer underflow in unmarshalling logic, leading to heap out-of-bounds reads or process crash |
Description
Spotlight RPC unmarshalling can continue beyond the intended bounds of a crafted request. A low-privilege authenticated user may be able to disclose adjacent heap contents or crash the afpd child process when Spotlight is enabled.
Patch Availability
Apply CVE-2026-45356.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L (7.1)
Workaround
Disable Spotlight indexing in afp.conf:
spotlight = no
This prevents the vulnerable code path from being reached entirely.
Credits
Vulnerability reported by:
@TristanInSec
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
