Netatalk Security Advisory
| Subject | Format string argument mismatch |
|---|---|
| CVE ID# | CVE-2026-7835 |
| Severity | Low |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.0.3 - 4.4.2 |
| Summary | A log message format string expects a string argument that is not supplied |
Description
A logging statement on an allocation-failure path has mismatched format arguments. The format string is fixed, so this is not a practical attacker-controlled format-string issue; impact is limited to a possible crash while logging under low-memory conditions.
Patch Availability
Apply CVE-2026-44059,CVE-2026-7835.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L (3.1)
Workaround
No practical workaround is available beyond applying the patch; monitor for memory pressure that could exercise the allocation failure path.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
