What this actually is.
Technical background, root cause, and affected surface.
Netatalk's privilege toggle mechanism (seteuid/setegid calls) is non-reentrant. In multi-threaded or signal-handler contexts, a race condition exists between the privilege drop and restore calls, creating a window where operations execute with unintended privileges.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 4.5
- Status
- Published
- CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/unix.c: become_user()/unbecome_user() privilege toggle is not protected against concurrent access or signal interruption
Root cause: Privilege toggle functions are not atomic and lack mutex protection, creating exploitable race windows
When does this fire?
All conditions must be true for the exploit to succeed.
Local attacker with system access triggers concurrent AFP operations or signal delivery during the privilege toggle window
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Limited unauthorized file read or write within the race condition window; minor service disruption
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which makes privilege toggle operations atomic and signal-safe.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.