Netatalk Security Advisory
| Subject | hextoint macro uppercase bug |
|---|---|
| CVE ID# | CVE-2026-7836 |
| Severity | Low |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.0.0 - 4.4.2 |
| Summary | The hextoint macro computes incorrect values for uppercase hexadecimal characters |
Description
Filename conversion can decode uppercase hexadecimal escapes incorrectly. This may cause filename corruption or lookup inconsistencies, but does not by itself indicate code execution, privilege escalation, or sensitive data exposure.
Patch Availability
Apply CVE-2026-44070,CVE-2026-7836.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N (3.1)
Workaround
Avoid configurations or clients that rely on uppercase hex escapes until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
