Netatalk Security Advisory
| Subject | Stack buffer overflow via UCS-2 type confusion in convert_charset() |
|---|---|
| CVE ID# | CVE-2026-44048 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.0.4 - 4.4.2 |
| Summary | Unicode filename conversion can write null terminators at twice the intended byte offset, corrupting stack memory |
Description
Unicode filename conversion can corrupt stack memory while processing certain decomposing character sequences. An authenticated client may be able to trigger a process crash, and broader memory-corruption impact cannot be ruled out.
Patch Availability
Apply CVE-2026-44048.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)
Workaround
Restrict AFP access to trusted clients until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
