Netatalk Security Advisory
| Subject | Heap buffer overflow in Spotlight reply marshalling |
|---|---|
| CVE ID# | CVE-2026-62321 |
| Severity | High |
| Disclosure Date | 2026/07/16 |
| Affected Versions | 4.5.0 |
| Summary | Nested Spotlight metadata is packed without tracking the remaining reply buffer capacity |
Description
Spotlight reply marshalling bounds nested metadata against the top-level packet limit rather than the remaining reply buffer. When Spotlight is enabled, an authenticated client can trigger a heap buffer overflow by requesting an amplified metadata tree.
Patch Availability
Apply CVE-2026-62321.patch to a Netatalk 4.5.0 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.1 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (8.7)
Workaround
Disable Spotlight indexing in afp.conf:
[Global]
spotlight = no
Credits
Vulnerability reported by:
Alejandro Ramos aramosf@gmail.com
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.