Netatalk Security Advisory
| Subject | Unbounded realloc in charset conversion |
|---|---|
| CVE ID# | CVE-2026-44070 |
| Severity | Low |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.0.0 - 4.4.2 |
| Summary | Charset conversion doubles the destination buffer in a retry loop without an upper bound |
Description
Charset conversion retries can grow an allocation without an explicit upper bound or overflow guard. Ordinary AFP path and string limits make practical exploitation unlikely, but the behavior is a denial-of-service hardening concern.
Patch Availability
Apply CVE-2026-44070,CVE-2026-7836.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L (3.1)
Workaround
Restrict AFP access to trusted users and monitor memory pressure until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
