What this actually is.
Technical background, root cause, and affected surface.
The volxlate() function in Netatalk performs arithmetic on volume-related size values that can underflow when inputs are crafted to produce a negative (wrapped) result. A local privileged attacker can trigger this to read or modify limited data.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3.9
- Status
- Published
- CWE
- CWE-191: Integer Underflow (Wrap or Wraparound)
- Vector
- CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/volume.c: volxlate() - size arithmetic without unsigned underflow protection
Root cause: Missing underflow check on unsigned arithmetic in volxlate() before use of result
When does this fire?
All conditions must be true for the exploit to succeed.
Local administrator-level user triggers volume translation with crafted size parameters that cause arithmetic underflow
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Limited out-of-bounds memory access; minor data disclosure or modification
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds underflow guards in volxlate().
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.