Netatalk Security Advisory
| Subject | Stack buffer overflow in desktop.c |
|---|---|
| CVE ID# | CVE-2026-44056 |
| Severity | Medium |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.3 - 4.2.2 |
| Summary | A directory entry name can be appended into a small stack buffer without checking the remaining size |
Description
Desktop metadata processing can overflow a stack buffer when handling unusually long metadata entry names. Practical impact depends on whether an authenticated user can control the affected metadata and trigger ownership or mode updates; denial of service is the most likely outcome.
Patch Availability
Apply CVE-2026-44056.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H (6.0)
Workaround
Restrict AFP write access and remove untrusted desktop metadata directories until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
