Link following in Netatalk - #VU137336
Published: July 12, 2026
Netatalk
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper link resolution before file access in FinderInfo handling when processing crafted metadata that sets FinderInfo to "slnkrhap". A remote user can create a crafted file state to disclose sensitive information.
The server creates a symlink using file contents as the target with no path validation.