SB2026071203 - Multiple vulnerabilities in Netatalk
Published: July 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 vulnerabilities.
1) Integer underflow (CVE-ID: CVE-2026-45699)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to integer underflow in copydir() in the afpd daemon when handling cross-device directory rename operations inside an AFP shared volume. A remote user can trigger a crafted file operation to execute arbitrary code.
At minimum, successful exploitation can crash an afpd worker process. The issue is triggered when a file operation crosses a device boundary that the standard library renameat() cannot handle.
2) Integer underflow (CVE-ID: CVE-2026-45698)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to integer underflow in deletedir() in the afpd daemon when processing file operations that cross a device boundary inside an AFP shared volume. A remote user can provide a crafted filename to trigger a stack-based buffer overflow and execute arbitrary code or cause a denial of service.
The overflow occurs because an unsigned remaining-size calculation wraps to SIZE_MAX, causing a subsequent bounds check to always evaluate as safe before strcpy() copies attacker-controlled data into a nearly full stack buffer.
3) Integer underflow (CVE-ID: CVE-2026-44060)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer underflow in dsi_writeinit() when processing a crafted DSI packet with dsi_doff greater than dsi_len. A remote attacker can send a specially crafted DSI packet to cause a denial of service.
When exploited through the authenticated DSIFUNC_WRITE path, the issue can also consume significant disk space by splicing attacker-controlled socket data into a file. Pre-authentication exploitation requires chaining with the DSI protocol desynchronization vulnerability.
4) Link following (CVE-ID: CVE-2026-44051)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to create arbitrary symlinks and disclose sensitive information.
The vulnerability exists due to improper link resolution before file access in the afp_setfilparams FPSetFilParms command handler when processing FinderInfo values set to "slnkrhap" for a file whose contents are used as the symlink target path. A remote user can create a file containing an arbitrary path string and send a crafted FPSetFilParms request to create arbitrary symlinks and disclose sensitive information.
Exploitation requires write access to an AFP volume, and the disclosure occurs when another service or process follows the created symlink.
5) Integer underflow (CVE-ID: CVE-2026-45356)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to integer underflow in sl_unpack_loop when processing Spotlight RPC array elements with an attacker-controlled subcount value. A remote user can send a specially crafted Spotlight RPC request to disclose sensitive information.
The out-of-bounds data read from heap memory is stored in dalloc structures and returned to the client in the Spotlight RPC response.
6) Integer underflow (CVE-ID: CVE-2026-45355)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and cause a denial of service.
The vulnerability exists due to integer underflow in sl_unpack_cpx when processing Spotlight RPC string unmarshalling fields. A remote user can send a specially crafted Spotlight RPC request to disclose sensitive information and cause a denial of service.
The issue occurs when a negative signed string length is implicitly cast to an unsigned size_t value, leading to a massive heap out-of-bounds read. The vulnerable request is reachable through a post-auth AFP command, and the UTF-16 string path may expose more memory than the plain string path.
7) Out-of-bounds read (CVE-ID: CVE-2026-44066)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the Spotlight RPC binary protocol unmarshaller sl_unpack() when parsing Spotlight RPC requests. A remote user can send a specially crafted Spotlight RPC packet with attacker-controlled offsets and counts to disclose sensitive information.
The issue is reachable post-authentication through AFP Spotlight RPC requests, and in some cases reads past the heap allocation can also cause a denial of service.
8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-45354)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inconsistent interpretation of protocol fields in the DSI packet receiver when processing crafted DSI packets. A remote attacker can send a specially crafted DSIFUNC_CMD packet with a non-zero dsi_code value to cause a denial of service.
The issue can be triggered before authentication after completing DSIOpenSession, and leftover attacker-controlled bytes in the readahead buffer are interpreted as a subsequent DSI packet header.
9) SQL injection (CVE-ID: CVE-2026-44047)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in libatalk/cnid/mysql/cnid_mysql.c when processing AFP filenames in MySQL CNID backend queries. A remote user can create or access files with specially crafted names to execute arbitrary SQL commands.
Only servers compiled with the non-default MySQL CNID backend are vulnerable.
10) SQL injection (CVE-ID: N/A)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary SQL.
The vulnerability exists due to improper neutralization of special elements in sql commands in the MySQL CNID backend functions when processing crafted filenames. A remote user can create files with specially crafted names to inject arbitrary SQL.
11) Stack-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in convert_charset() when processing filenames with decomposable Unicode characters. A remote attacker can supply a specially crafted filename to execute arbitrary code.
The issue is triggered by type confusion that uses a byte count as a ucs2_t array index for null termination, causing a write at double the intended offset.
12) Heap-based buffer overflow (CVE-ID: N/A)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in comm_rcv() when handling network requests containing an oversized name length. A remote attacker can send a specially crafted request to execute arbitrary code.
The function reads rqst->namelen from the network without bounds validation and writes that many bytes into a 1025-byte buffer.
13) Link following (CVE-ID: N/A)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper link resolution before file access in FinderInfo handling when processing crafted metadata that sets FinderInfo to "slnkrhap". A remote user can create a crafted file state to disclose sensitive information.
The server creates a symlink using file contents as the target with no path validation.
14) Inclusion of Sensitive Information in Log Files (CVE-ID: N/A)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log files in LDAP bind error handling when an LDAP bind attempt fails. A remote attacker can trigger a failed LDAP bind to disclose sensitive information.
The bind password is logged at error level in cleartext.
15) Use of a broken or risky cryptographic algorithm (CVE-ID: N/A)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to use of a broken or risky cryptographic algorithm in the DHCAST128 UAM when performing password authentication. A remote attacker can observe the authentication exchange to disclose sensitive information.
A 16-byte hardcoded Diffie-Hellman prime makes passive password recovery trivially solvable.
Remediation
Install update from vendor's website.
References
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-fphv-pf29-p77m
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-5443-v9xg-mqgv
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-p8cw-m237-6w2c
- https://github.com/Netatalk/netatalk/commit/433c9ec8c6a1
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-fxgp-28q4-5cwx
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-9963-q595-wm2x
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-r72w-vfv6-52wg
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-wq5m-vg8f-w65f
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-x7mm-865g-6jp3
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-627q-6pww-j6x4
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-v8pq-cg4v-xg5q
- https://github.com/user-attachments/files/27185576/disclosure-netatalk-4.4.2-FINAL.zip