What this actually is.
Technical background, root cause, and affected surface.
Multiple heap out-of-bounds reads exist in the Spotlight RPC unmarshalling code. When parsing crafted Spotlight query responses or requests, the parser reads beyond allocated buffer boundaries, leaking heap memory contents or triggering a crash.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 7.1
- Status
- Published
- CWE
- CWE-125: Out-of-bounds Read
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/spotlight_rpc.c: multiple locations in RPC message parsing where buffer read position is not validated against message boundary
Root cause: Insufficient bounds checking on read operations during Spotlight RPC message parsing
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends crafted Spotlight RPC messages with manipulated length fields or message structure
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Heap memory disclosure (potentially exposing sensitive data) or daemon crash (DoS)
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds comprehensive bounds checking throughout the Spotlight RPC unmarshaller.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.