Netatalk Security Advisory
| Subject | TOCTOU with root privilege in ad_flush |
|---|---|
| CVE ID# | CVE-2026-7837 |
| Severity | None |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.0.0 - 4.4.2 |
| Summary | AppleDouble flush handling changes directory, becomes root, and then applies metadata to . by path |
Description
AppleDouble metadata flushing temporarily applies metadata through the current directory context while privileges are elevated. The Netatalk team could not reproduce the originally claimed race condition, but the implementation has been hardened to avoid path-based ambiguity in this privileged operation.
Patch Availability
Apply CVE-2026-7837.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N (0.0)
Workaround
Least concern.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
