Netatalk Security Advisory
| Subject | Integer underflow in volxlate |
|---|---|
| CVE ID# | CVE-2026-44069 |
| Severity | Low |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.0.0 - 4.4.2 |
| Summary | Path translation subtracts formatted output length from the remaining destination size without validating the subtraction |
Description
Path translation can mishandle remaining buffer accounting when formatted output exceeds the available destination space. Practical exploitability is low because high-risk inputs are generally administrator-controlled configuration values or otherwise bounded data.
Patch Availability
Apply CVE-2026-44069.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L (3.4)
Workaround
Restrict write access to Netatalk configuration and avoid untrusted volume path values until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
