Netatalk Security Advisory
| Subject | Stack-based buffer overflow in deletedir() |
|---|---|
| CVE ID# | CVE-2026-45698 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.2.0 - 4.4.2 |
| Summary | A stack-based buffer overflow exists in the deletedir() function which is used for cross-device directory deletion |
Description
Directory deletion fallback handling can miscalculate remaining path buffer space while processing file operations inside an AFP shared volume. An authenticated user may be able to trigger stack memory corruption or crash the afpd child process under cross-device directory operation conditions.
Patch Availability
Apply CVE-2026-45698,CVE-2026-45699.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
Workaround
Configure each AFP shared volume to be structured as a single file system, in other words no subdirectory of a shared volume should be a mount point for a different file system.
Credits
Vulnerability reported by:
Tsolmon Zorigoo (@ZTsolmon)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
