Security Policy
The Netatalk Project takes cyber security very seriously. We commit to follow up on and resolve potential security flaws in our code as quickly as we can. The reporter of an accepted and patched vulnerability will be given credit in the advisory published by this project.
Supported Versions
Project policy is to support a release series with security patches up to 12 months after a superseding stable release.
We actively support up to the two latest minor feature release versions in a major release series. For instance, if 4.0 and 4.1 are supported, and we release 4.2, then security patch support for 4.0 is halted.
Reporting a Vulnerability
If you think you have found an exploitable security vulnerability in Netatalk, the Netatalk Team would be eager to hear from you!
The best way to get in touch with us is by filing a report via the private security vulnerability reporting workflow in GitHub. This allows us to collaborate in private and avoid putting end-users at potential risk in the meantime.
In order for us to take effective action on your report, please include as much context as possible:
- An unambiguous link to the affected source code, including the specific line and Git commit hash
- Configurations or input data required to reproduce the issue
- Concrete steps to reproduce the issue
- Ideally, proof-of-concept code that demonstrates the exploit
- A summary of the issue’s potental impact
Response
If we are able to reproduce and subsequently patch the vulnerability, we will publish an advisory below where you are credited as finder and reporter. If you also contribute a patch, you will be credited as patch developer.
Please be mindful that Netatalk is a volunteer driven project. We do this on our free time, so response times may vary. That said, we will try to take action on your report as soon as possible!
Security Advisories
| CVE ID | Subject | Disclosure Date | Affected Versions | Severity |
|---|---|---|---|---|
| CVE-2026-45699 | Stack-based buffer overflow in copydir() | 2026/05/13 | 3.2.0 - 4.4.2 | High |
| CVE-2026-45698 | Stack-based buffer overflow in deletedir() | 2026/05/13 | 3.2.0 - 4.4.2 | High |
| CVE-2026-45356 | Integer underflow in Spotlight RPC count decrement | 2026/05/13 | 3.1.0 - 4.4.2 | High |
| CVE-2026-45355 | Integer underflow to heap OOB read | 2026/05/13 | 3.1.0 - 4.4.2 | High |
| CVE-2026-45354 | Pre-authentication DSI protocol desync | 2026/05/13 | 1.5.0 - 4.4.2 | High |
| CVE-2026-44076 | Shell injection via volume path | 2026/05/13 | 3.1.0 - 4.4.2 | Medium |
| CVE-2026-44075 | Missing break in DSI OpenSession | 2026/05/13 | 1.5.0 - 4.4.3 | None |
| CVE-2026-44074 | Bitwise OR of errno values | 2026/05/13 | 2.1.0 - 4.4.3 | None |
| CVE-2026-44073 | seteuid failure ignored in auth modules | 2026/05/13 | 1.5.0 - 4.4.3 | Medium |
| CVE-2026-44072 | system() after failed chdir() | 2026/05/13 | 2.2.1 - 4.4.3 | Low |
| CVE-2026-44071 | FORTIFY_SOURCE disabled | 2026/05/13 | 3.1.2 - 4.4.3 | None |
| CVE-2026-44070 | Unbounded realloc in charset conversion | 2026/05/13 | 2.0.0 - 4.4.3 | Low |
| CVE-2026-44069 | Integer underflow in volxlate | 2026/05/13 | 3.0.0 - 4.4.3 | Low |
| CVE-2026-44068 | EA path traversal via incomplete sanitization | 2026/05/13 | 2.1.0 - 4.4.2 | High |
| CVE-2026-44067 | EA header parsing heap over-read | 2026/05/13 | 2.1.0 - 4.4.3 | Low |
| CVE-2026-44066 | Heap out-of-bounds reads in Spotlight RPC unmarshalling | 2026/05/13 | 3.0.0 - 4.4.2 | High |
| CVE-2026-44065 | Off-by-two in papd lp_write() | 2026/05/13 | 2.0.0 - 4.4.3 | Low |
| CVE-2026-44064 | ASP session ID out-of-bounds access | 2026/05/13 | 1.3 - 4.4.2 | High |
| CVE-2026-44063 | LDAP filter injection | 2026/05/13 | 2.1.0 - 4.4.3 | Medium |
| CVE-2026-44062 | Missing o_len bounds check in pull_charset_flags() | 2026/05/13 | 2.0.4 - 4.4.2 | High |
| CVE-2026-44061 | DES-ECB auth with timing side channel | 2026/05/13 | 1.5.0 - 4.4.3 | Medium |
| CVE-2026-44060 | Integer underflow in dsi_writeinit() leads to denial of service | 2026/05/13 | 1.5.0 - 4.4.2 | High |
| CVE-2026-44059 | Non-reentrant privilege toggle | 2026/05/13 | 2.2.5 - 4.4.3 | Low |
| CVE-2026-44058 | Authentication bypass via admin auth user | 2026/05/13 | 2.2.2 - 4.4.3 | Medium |
| CVE-2026-44057 | Dead bounds check in Spotlight RPC unmarshaller | 2026/05/13 | 3.0.0 - 4.4.2 | None |
| CVE-2026-44056 | Stack buffer overflow in desktop.c | 2026/05/13 | 1.3 - 4.2.3 | Medium |
| CVE-2026-44055 | Bitwise OR logic bug enables shell injection | 2026/05/13 | 3.1.4 - 4.4.2 | High |
| CVE-2026-44054 | Predictable afpd session token | 2026/05/13 | 2.0.0 - 4.4.2 | Medium |
| CVE-2026-44053 | Weak cryptography in DHCAST128 UAM | 2026/05/13 | 1.5.0 - 4.2.3 | High |
| CVE-2026-44052 | LDAP simple-bind password exposure in log output | 2026/05/13 | 2.1.0 - 4.4.2 | High |
| CVE-2026-44051 | Arbitrary file read via attacker-controlled symlink creation | 2026/05/13 | 3.0.2 - 4.4.2 | High |
| CVE-2026-44050 | Heap buffer overflow in CNID daemon comm_rcv() | 2026/05/13 | 2.0.0 - 4.4.2 | Critical |
| CVE-2026-44049 | Out-of-bounds write in convert_charset() null termination | 2026/05/13 | 2.0.4 - 4.4.2 | High |
| CVE-2026-44048 | Stack buffer overflow via UCS-2 type confusion in convert_charset() | 2026/05/13 | 2.0.4 - 4.4.2 | High |
| CVE-2026-44047 | SQL injection in MySQL CNID backend | 2026/05/13 | 3.1.0 - 4.4.2 | High |
| CVE-2026-7837 | TOCTOU with root privilege in ad_flush | 2026/05/13 | 3.0.0 - 4.4.3 | None |
| CVE-2026-7836 | hextoint macro uppercase bug | 2026/05/13 | 2.0.0 - 4.4.3 | Low |
| CVE-2026-7835 | Format string argument mismatch | 2026/05/13 | 3.0.3 - 4.4.3 | Low |
| CVE-2024-38441 | Heap out-of-bounds write in directory.c | 2024/06/28 | 2.0.0 - 2.4.0, 3.0.0 - 3.1.18, 3.2.0 | High |
| CVE-2024-38440 | Heap out-of-bounds write in uams_dhx_pam.c | 2024/06/28 | 1.5.0 - 2.4.0, 3.0.0 - 3.1.18, 3.2.0 | High |
| CVE-2024-38439 | Heap out-of-bounds write in uams_pam.c | 2024/06/28 | 1.5.0 - 2.4.0, 3.0.0 - 3.1.18, 3.2.0 | High |
| CVE-2023-42464 | afpd daemon vulnerable to type confusion | 2023/09/16 | 3.1.0 - 3.1.16 | Medium |
| CVE-2022-45188 | Arbitrary code execution in afp_getappl | 2023/03/28 | 1.5.0 - 2.2.8, 3.0.0 - 3.1.14 | High |
| CVE-2022-43634 | Arbitrary code execution in dsi_writeinit | 2023/02/20 | 3.0.0 - 3.1.14 | Critical |
| CVE-2022-23125 | Arbitrary code execution in copyapplfile | 2022/03/22 | 1.3 - 2.2.6, 3.0.0 - 3.1.12 | Critical |
| CVE-2022-23124 | Information leak in get_finderinfo | 2022/03/22 | 3.0.0 - 3.1.12 | Medium |
| CVE-2022-23123 | Information leak in getdirparams | 2022/03/22 | 1.5.0 - 2.2.6, 3.0.0 - 3.1.12 | Medium |
| CVE-2022-23122 | Arbitrary code execution in setfilparams | 2022/03/22 | 3.0.0 - 3.1.12 | Critical |
| CVE-2022-23121 | Arbitrary code execution in parse_entries | 2022/03/22 | 1.5.0 - 2.2.6, 3.0.0 - 3.1.12 | Critical |
| CVE-2022-22995 | afpd daemon vulnerable to symlink redirection | 2023/10/05 | 3.1.0 - 3.1.17 | High |
| CVE-2022-0194 | Arbitrary code execution in ad_addcomment | 2022/03/22 | 1.5.0 - 2.2.6, 3.0.0 - 3.1.12 | Critical |
| CVE-2021-31439 | Arbitrary code execution in dsi_stream_receive | 2022/03/22 | 3.0.0 - 3.1.12 | High |
| CVE-2018-1160 | Unauthenticated remote code execution | 2018/12/20 | 1.5.0 - 2.2.6, 3.0.0 - 3.1.11 | Critical |
| CVE-2008-5718 | papd daemon vulnerable to remote command execution | 2008/12/26 | 2.0.0 - 2.0.4 | Critical |
| CAN-2004-0974 | etc2ps.sh vulnerable to symlink attack | 2004/09/30 | 1.3 - 1.6.4, 2.0.0 | Low |
See Also
Netatalk CVE records on cve.org
