What this actually is.
Technical background, root cause, and affected surface.
When parsing Extended Attributes (EA) headers in AFP requests, Netatalk reads beyond the end of the header buffer. A crafted EA header with manipulated length fields causes a heap over-read, potentially leaking adjacent heap contents to the requester.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 4.2
- Status
- Published
- CWE
- CWE-125: Out-of-bounds Read
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/ea.c: EA header parsing reads length-delimited fields without validating the length against remaining buffer size
Root cause: Missing bounds check on EA header field lengths before reading from the header buffer
When does this fire?
All conditions must be true for the exploit to succeed.
Attacker sends an AFP request with a crafted Extended Attributes header containing manipulated length fields
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Heap memory disclosure; potentially exposing pointers, tokens, or sensitive data adjacent to the EA buffer
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which validates EA header field lengths against buffer boundaries before reading.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.