Netatalk Security Advisory
| Subject | EA header parsing heap over-read |
|---|---|
| CVE ID# | CVE-2026-44067 |
| Severity | Low |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.1.0 - 4.4.2 |
| Summary | Extended attribute header parsing trusts the on-disk entry count without checking it against the buffer size |
Description
Extended attribute metadata parsing trusts on-disk entry metadata without sufficiently validating it against the available buffer. This is most relevant when local, NFS, Samba, or other non-AFP access can corrupt AppleDouble metadata; likely impact is crash or over-read rather than code execution.
Patch Availability
Apply CVE-2026-44067.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L (3.7)
Workaround
Restrict write access to volumes that store AppleDouble metadata until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
