What this actually is.
Technical background, root cause, and affected surface.
A stack-based buffer overflow in desktop.c occurs when processing AFP desktop database requests. Insufficient bounds checking on client-supplied data during desktop comment or icon operations causes stack corruption.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 6.4
- Status
- Published
- CWE
- CWE-121: Stack-based Buffer Overflow
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/desktop.c: buffer allocation and copy operations for AFP desktop database entries lack length validation
Root cause: Missing bounds check on AFP client-supplied data length before copying into fixed-size stack buffer in desktop.c
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends oversized desktop database entry (e.g., file comment or icon) exceeding the stack buffer size
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Stack corruption leading to daemon crash (DoS) or limited arbitrary code execution
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds bounds checking for desktop database operations.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.