What this actually is.
Technical background, root cause, and affected surface.
The lp_write() function in the papd (printer access protocol daemon) contains an off-by-two error in buffer bounds calculation. This allows write operations to go two bytes past the intended buffer boundary, causing heap corruption and potential crash.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 4.2
- Status
- Published
- CWE
- CWE-193: Off-by-one Error
- Vector
- CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
papd/lp.c: lp_write() - buffer size calculation is off by two, allowing two-byte overwrite past buffer end
Root cause: Incorrect buffer boundary arithmetic in lp_write(); buffer size calculated as (n-2) instead of n, or write limit uses (size+2)
When does this fire?
All conditions must be true for the exploit to succeed.
Attacker or client sends a crafted print job that triggers the off-by-two write path in lp_write()
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Minor heap corruption leading to papd crash and printing service disruption
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which corrects the bounds calculation in lp_write().
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.