What this actually is.
Technical background, root cause, and affected surface.
In convert_charset(), a null terminator is written one byte past the end of the destination buffer when the output exactly fills the buffer. This off-by-one OOB write corrupts adjacent memory.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 7.5
- Status
- Published
- CWE
- CWE-787: Out-of-bounds Write
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
libatalk/unicode/convert_charset.c: convert_charset() - null terminator placement after buffer boundary
Root cause: Off-by-one error: null terminator written at buf[size] instead of buf[size-1] when output length equals buffer size
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends crafted character data that results in a charset conversion output exactly filling the destination buffer
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Out-of-bounds memory write leading to memory corruption and potential arbitrary code execution
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which corrects null termination logic in convert_charset().
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.