What this actually is.
Technical background, root cause, and affected surface.
A heap-based buffer overflow in comm_rcv() within the CNID daemon occurs when receiving oversized messages from AFP clients. The function allocates a fixed-size heap buffer but does not validate the incoming message length before copying data, enabling heap corruption.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Critical
- CVSS Score
- 9.9
- Status
- Published
- CWE
- CWE-122: Heap-based Buffer Overflow
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
cnid_dbd/comm.c: comm_rcv() - fixed-size heap allocation with no bounds check on received message length before memcpy
Root cause: Missing length validation in comm_rcv() before copying network-received data into a fixed-size heap buffer
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends an oversized CNID protocol message to the CNID daemon, exceeding the allocated heap buffer
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Heap corruption enabling arbitrary code execution with the privileges of the CNID daemon (root/elevated)
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 immediately. The fix adds message length validation before heap allocation and copy in comm_rcv().
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.