What this actually is.
Technical background, root cause, and affected surface.
In pull_charset_flags(), the output length parameter (o_len) is not validated against the actual output buffer size after charset conversion. When conversion produces output that exceeds the destination buffer, the excess bytes overwrite adjacent heap memory.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 7.5
- Status
- Published
- CWE
- CWE-787: Out-of-bounds Write
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
libatalk/unicode/convert_charset.c: pull_charset_flags() - o_len parameter not bounds-checked against destination buffer after iconv conversion
Root cause: Missing validation of output length (o_len) against actual destination buffer capacity after iconv conversion in pull_charset_flags()
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client provides crafted character data where charset conversion output exceeds the destination buffer size passed as o_len
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Heap out-of-bounds write leading to memory corruption and potential arbitrary code execution
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds o_len bounds validation in pull_charset_flags().
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.