What this actually is.
Technical background, root cause, and affected surface.
Charset conversion in Netatalk uses realloc() to grow a destination buffer in a loop without a maximum size cap. An integer overflow in the growth calculation or an unbounded loop allows an authenticated attacker to exhaust process memory.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3.1
- Status
- Published
- CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
libatalk/unicode/convert_charset.c: conversion loop calls realloc() without maximum size bound, enabling unbounded memory growth
Root cause: No maximum allocation limit on the realloc() growth loop in charset conversion; integer overflow in size multiplier can also cause incorrect allocation sizes
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends data requiring charset conversion that triggers repeated buffer growth without reaching a termination condition
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Process memory exhaustion leading to daemon crash (OOM kill) and service disruption
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds a maximum buffer size cap on charset conversion allocation.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.