Integer underflow in Netatalk - CVE-2026-45356
Published: July 12, 2026
Netatalk
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to integer underflow in sl_unpack_loop when processing Spotlight RPC array elements with an attacker-controlled subcount value. A remote user can send a specially crafted Spotlight RPC request to disclose sensitive information.
The out-of-bounds data read from heap memory is stored in dalloc structures and returned to the client in the Spotlight RPC response.