What this actually is.
Technical background, root cause, and affected surface.
In the Spotlight RPC unmarshaller, a bounds check exists in the code but is placed after an unconditional return or in a branch that is never reached. The check compiles but never executes, providing no protection against out-of-bounds access.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3.1
- Status
- Published
- CWE
- CWE-561: Dead Code
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/spotlight_rpc.c or spotlight.c: bounds check condition after unconditional return or in unreachable branch in Spotlight RPC parsing
Root cause: Bounds check placed in unreachable code path (dead code), likely due to refactoring error
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends crafted Spotlight RPC requests to a Netatalk server with Spotlight enabled
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Limited information disclosure via Spotlight RPC due to missing effective bounds protection
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which removes the dead code and adds effective bounds checking in the correct location.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.