Integer underflow in Netatalk - CVE-2026-45699
Published: July 12, 2026
Netatalk
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to integer underflow in copydir() in the afpd daemon when handling cross-device directory rename operations inside an AFP shared volume. A remote user can trigger a crafted file operation to execute arbitrary code.
At minimum, successful exploitation can crash an afpd worker process. The issue is triggered when a file operation crosses a device boundary that the standard library renameat() cannot handle.