Out-of-bounds read in Netatalk - CVE-2026-44066
Published: July 12, 2026
Netatalk
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the Spotlight RPC binary protocol unmarshaller sl_unpack() when parsing Spotlight RPC requests. A remote user can send a specially crafted Spotlight RPC packet with attacker-controlled offsets and counts to disclose sensitive information.
The issue is reachable post-authentication through AFP Spotlight RPC requests, and in some cases reads past the heap allocation can also cause a denial of service.