What this actually is.
Technical background, root cause, and affected surface.
A stack-based buffer overflow occurs in convert_charset() due to UCS-2 type confusion. When processing filename or string data requiring charset conversion, incorrect size calculation for UCS-2 encoded data causes a write beyond the stack buffer boundary.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 8.8
- Status
- Published
- CWE
- CWE-121: Stack-based Buffer Overflow
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
libatalk/unicode/convert_charset.c: convert_charset() - incorrect buffer size calculation when handling UCS-2 to multibyte conversions
Root cause: Incorrect byte-width accounting when converting between UCS-2 (2 bytes per character) and other encodings causes the destination buffer to be undersized
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends a filename or string requiring charset conversion that triggers the UCS-2 type confusion path with a crafted length
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Stack corruption leading to arbitrary code execution with the privileges of the afpd daemon (typically root)
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3. The fix corrects buffer size calculations for UCS-2 charset conversion paths.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.