VYPR
advisoryPublished May 31, 2026· 1 source

25 CVEs Disclosed in Netatalk Apple Filing Protocol Daemon, Including Code Execution and Authentication Bypass

Twenty-five vulnerabilities, five rated High severity, were disclosed for the open-source Netatalk AFP daemon on May 21, 2026, affecting versions from 1.3 through 4.4.2.

On May 21, 2026, a batch of 25 CVEs was published for Netatalk, the open-source implementation of the Apple Filing Protocol (AFP) widely used in NAS devices, Linux servers, and embedded systems to serve macOS clients. The vulnerabilities affect versions from as early as 1.3 through the latest 4.4.2, and were disclosed in a single coordinated release spanning just one hour. Five of the bugs carry High severity ratings (CVSS 7.1–7.6), with the most critical allowing remote authenticated attackers to execute arbitrary code.

The most severe cluster involves three High-severity flaws that can lead to arbitrary code execution. CVE-2026-44062 (CVSS 7.5) is a missing output length bounds check in pull_charset_flags() affecting Netatalk 2.0.4 through 4.4.2, allowing a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character set data. CVE-2026-44055 (CVSS 7.5) is a logic error involving bitwise OR operations in versions 3.1.4 through 4.4.2 that lets a remote authenticated attacker inject OS commands and execute arbitrary code. CVE-2026-44076 (CVSS 6.7, Medium) allows a local privileged user to inject OS commands via insufficiently sanitized volume paths in versions 3.1.0 through 4.4.2.

CVE-2026-44058 (CVSS 7.2, High) stands out as an authentication bypass in Netatalk 2.2.2 through 4.4.2, allowing a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism. Separately, CVE-2026-44061 (CVSS 5.9, Medium) reveals that Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, enabling a remote attacker to recover authentication credentials via timing analysis — a notable weakness given the age and cryptographic weakness of DES-ECB.

Three High-severity bugs target the extended attribute (EA) and Spotlight subsystems. CVE-2026-44068 (CVSS 7.6) involves incomplete sanitization of EA path components in versions 2.1.0 through 4.4.2, allowing a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names — the highest CVSS score in the batch. CVE-2026-44066 (CVSS 7.1) covers multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in versions 3.1.0 through 4.4.2, enabling information disclosure or service disruption. CVE-2026-44064 (CVSS 7.1) is an out-of-bounds read in ASP session ID handling affecting versions 1.3 through 4.4.2, exploitable by an adjacent network attacker.

Several bugs enable denial of service from various attack positions. CVE-2026-44060 (CVSS 7.5, High) is an integer underflow in dsi_writeinit() affecting Netatalk 1.5.0 through 4.4.2 that allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request. CVE-2026-44056 (CVSS 6.4, Medium) is a stack-based buffer overflow in desktop.c in versions 1.3 through 4.2.2. Lower-severity issues include CVE-2026-44071 (CVSS 3.7), which notes that Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, disabling built-in buffer overflow detection at runtime.

The batch includes a range of other bug classes. CVE-2026-44063 (CVSS 4.2, Medium) is an LDAP injection vulnerability in versions 2.1.0 through 4.4.2 allowing LDAP query manipulation. CVE-2026-44059 (CVSS 4.5, Medium) is a race condition in the privilege toggle mechanism in versions 2.2.5 through 4.4.2. CVE-2026-7837 (CVSS 3.7, Low) is a TOCTOU condition in the ad_flush function involving root-privileged file operations. CVE-2026-44073 (CVSS 5.0, Medium) notes that authentication modules in versions 1.5.0 through 4.4.2 fail to check the return value of seteuid(), potentially allowing retained elevated privileges under error conditions.

The Netatalk project has addressed all 25 vulnerabilities. Users should upgrade to the latest patched release (beyond version 4.4.2) as soon as possible. Given the breadth of affected versions — some bugs reach back to Netatalk 1.3 from the early 2000s — administrators of legacy NAS appliances and embedded devices running older Netatalk builds should pay particular attention. No in-the-wild exploitation has been publicly reported for any of these CVEs at the time of disclosure.

This single-day disclosure of 25 CVEs represents a comprehensive security audit of the Netatalk codebase, touching nearly every major subsystem: DSI session handling, Spotlight RPC, extended attributes, authentication, charset conversion, and printer daemon code. The presence of an authentication bypass (CVE-2026-44058), a DES-ECB timing side channel (CVE-2026-44061), and multiple code-execution paths means that unpatched Netatalk instances — common in network-attached storage and Linux-based file servers — present a significant attack surface. Administrators should prioritize patching and review their exposure to the AFP service on internal networks.

Synthesized by Vypr AI