Netatalk Security Advisory
| Subject | Heap out-of-bounds read in Spotlight RPC TOC index |
|---|---|
| CVE ID# | CVE-2026-49388 |
| Severity | High |
| Disclosure Date | 2026/05/30 |
| Affected Versions | 3.1.0 - 4.4.3 |
| Summary | Spotlight RPC unmarshalling uses an attacker-controlled Table-of-Contents index without bounding it against the request buffer |
Description
Spotlight RPC unmarshalling can read beyond the end of the request buffer while processing a client-controlled Table-of-Contents index for complex fields. When Spotlight is enabled, an authenticated client may be able to crash the afpd child process serving its session or trigger a heap out-of-bounds read at an attacker-influenced offset. Remote code execution is not evident from the out-of-bounds read alone.
This issue is a residual sibling of CVE-2026-44066, whose earlier remediation did not cover the Table-of-Contents index itself.
Patch Availability
Apply CVE-2026-49387,CVE-2026-49388.patch to a Netatalk 4.4.3 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L (7.1)
Workaround
Disable Spotlight indexing in afp.conf, or leave undefined because it defaults to no:
[Global]
spotlight = no
This prevents the vulnerable code path from being reached entirely.
Credits
Vulnerability reported by:
Michalis Vasileiadis (@vmihalis)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
