Netatalk: 25 CVEs Disclosed in Single-Day Security Audit Dump
Twenty-five vulnerabilities spanning code execution, authentication bypass, and information disclosure were disclosed for the Netatalk Apple Filing Protocol daemon on May 21, 2026, with five rated High severity.
Key findings
- Five High-severity CVEs (CVSS 7.1–7.6) including code execution and authentication bypass
- CVE-2026-44062 and CVE-2026-44055 allow remote authenticated arbitrary code execution
- CVE-2026-44058 is an authentication bypass via the admin auth user mechanism
- CVE-2026-44061 reveals DES-ECB authentication with a timing side channel for credential recovery
- CVE-2026-44060 allows unauthenticated denial of service via crafted DSI write requests
- All 25 bugs affect versions from 1.3 through 4.4.2; patched in the latest release
On May 21, 2026, a batch of 25 CVEs was published for Netatalk, the open-source implementation of the Apple Filing Protocol (AFP) widely used in NAS devices, Linux servers, and embedded systems to serve macOS clients. The vulnerabilities affect versions from as early as 1.3 through the latest 4.4.2, and were disclosed in a single coordinated release spanning just one hour. Five of the bugs carry High severity ratings (CVSS 7.1–7.6), with the most critical allowing remote authenticated attackers to execute arbitrary code.
Code Execution and Command Injection
The most severe cluster involves three High-severity flaws that can lead to arbitrary code execution. CVE-2026-44062 (CVSS 7.5) is a missing output length bounds check in pull_charset_flags() affecting Netatalk 2.0.4 through 4.4.2, allowing a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character set data. CVE-2026-44055 (CVSS 7.5) is a logic error involving bitwise OR operations in versions 3.1.4 through 4.4.2 that lets a remote authenticated attacker inject OS commands and execute arbitrary code. CVE-2026-44076 (CVSS 6.7, Medium) allows a local privileged user to inject OS commands via insufficiently sanitized volume paths in versions 3.1.0 through 4.4.2.
Authentication Bypass and Credential Exposure
CVE-2026-44058 (CVSS 7.2, High) stands out as an authentication bypass in Netatalk 2.2.2 through 4.4.2, allowing a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism. Separately, CVE-2026-44061 (CVSS 5.9, Medium) reveals that Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, enabling a remote attacker to recover authentication credentials via timing analysis — a notable weakness given the age and cryptographic weakness of DES-ECB.
Extended Attribute and Spotlight RPC Flaws
Three High-severity bugs target the extended attribute (EA) and Spotlight subsystems. CVE-2026-44068 (CVSS 7.6) involves incomplete sanitization of EA path components in versions 2.1.0 through 4.4.2, allowing a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names — the highest CVSS score in the batch. CVE-2026-44066 (CVSS 7.1) covers multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in versions 3.1.0 through 4.4.2, enabling information disclosure or service disruption. CVE-2026-44064 (CVSS 7.1) is an out-of-bounds read in ASP session ID handling affecting versions 1.3 through 4.4.2, exploitable by an adjacent network attacker.
Denial of Service and Memory Safety Issues
Several bugs enable denial of service from various attack positions. CVE-2026-44060 (CVSS 7.5, High) is an integer underflow in dsi_writeinit() affecting Netatalk 1.5.0 through 4.4.2 that allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request. CVE-2026-44056 (CVSS 6.4, Medium) is a stack-based buffer overflow in desktop.c in versions 1.3 through 4.2.2. Lower-severity issues include CVE-2026-44071 (CVSS 3.7), which notes that Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, disabling built-in buffer overflow detection at runtime.
Cryptographic, Race Condition, and Injection Vulnerabilities
The batch includes a range of other bug classes. CVE-2026-44063 (CVSS 4.2, Medium) is an LDAP injection vulnerability in versions 2.1.0 through 4.4.2 allowing LDAP query manipulation. CVE-2026-44059 (CVSS 4.5, Medium) is a race condition in the privilege toggle mechanism in versions 2.2.5 through 4.4.2. CVE-2026-7837 (CVSS 3.7, Low) is a TOCTOU condition in the ad_flush function involving root-privileged file operations. CVE-2026-44073 (CVSS 5.0, Medium) notes that authentication modules in versions 1.5.0 through 4.4.2 fail to check the return value of seteuid(), potentially allowing retained elevated privileges under error conditions.
Response and Patch Status
The Netatalk project has addressed all 25 vulnerabilities. Users should upgrade to the latest patched release (beyond version 4.4.2) as soon as possible. Given the breadth of affected versions — some bugs reach back to Netatalk 1.3 from the early 2000s — administrators of legacy NAS appliances and embedded devices running older Netatalk builds should pay particular attention. No in-the-wild exploitation has been publicly reported for any of these CVEs at the time of disclosure.
Why This Batch Matters
This single-day disclosure of 25 CVEs represents a comprehensive security audit of the Netatalk codebase, touching nearly every major subsystem: DSI session handling, Spotlight RPC, extended attributes, authentication, charset conversion, and printer daemon code. The presence of an authentication bypass (CVE-2026-44058), a DES-ECB timing side channel (CVE-2026-44061), and multiple code-execution paths means that unpatched Netatalk instances — common in network-attached storage and Linux-based file servers — present a significant attack surface. Administrators should prioritize patching and review their exposure to the AFP service on internal networks.