Netatalk Security Advisory
| Subject | Heap over-read in CatSearch search-spec parsing |
|---|---|
| CVE ID# | CVE-2026-49389 |
| Severity | Low |
| Disclosure Date | 2026/05/30 |
| Affected Versions | 2.0.0 - 4.4.3 |
| Summary | CatSearch parses a client-controlled search-spec length without validating it against the remaining request buffer |
Description
CatSearch request parsing can compute the second search-spec pointer from a client-controlled length without first checking that the requested offset remains within the input buffer. An authenticated client may be able to cause a heap over-read while processing FPCatSearch or FPCatSearchExt requests.
In standard configurations the over-read is not expected to crash the afpd child process, and no information-disclosure channel has been demonstrated. The over-read bytes are used only for internal search criteria; CatSearch replies return matching filesystem records rather than the over-read data.
Patch Availability
Apply CVE-2026-49389.patch to a Netatalk 4.4.3 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (3.1)
Workaround
No practical workaround is available beyond applying the patch; restrict AFP access to trusted users until patched.
Credits
Vulnerability reported by:
Michalis Vasileiadis (@vmihalis)
Patch developed by:
Daniel Markstedt of the Netatalk team and Michalis Vasileiadis
References
Go back to the Security Policy.
