Netatalk Security Advisory
| Subject | Non-reentrant privilege toggle |
|---|---|
| CVE ID# | CVE-2026-44059 |
| Severity | Low |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.2.5 - 4.4.2 |
| Summary | Privilege switching uses global state without locking or nesting support |
Description
Privilege switching uses shared state that is not safe for nested or concurrent use. The Netatalk team has not identified a credible remote attacker-controlled path to privilege escalation in normal afpd request handling, but the behavior weakens privilege-management robustness.
Patch Availability
Apply CVE-2026-44059,CVE-2026-7835.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L (3.9)
Workaround
Avoid configurations that can exercise concurrent privilege switching until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
