What this actually is.
Technical background, root cause, and affected surface.
Netatalk versions 3.1.2 through 4.4.2 are built without FORTIFY_SOURCE, disabling a GCC/clang compiler feature that adds runtime bounds checking for common buffer functions (strcpy, memcpy, etc.) and detects buffer overflows at runtime.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3.7
- Status
- Published
- CWE
- CWE-693: Protection Mechanism Failure
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
CMakeLists.txt / configure.ac: -D_FORTIFY_SOURCE=2 compilation flag absent from build configuration
Root cause: Build system configuration omits the -D_FORTIFY_SOURCE=2 compiler definition
When does this fire?
All conditions must be true for the exploit to succeed.
Any deployment of official Netatalk 3.1.2-4.4.2 binaries; self-compiled without explicit FORTIFY_SOURCE flag
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Removal of runtime detection for buffer overflows; makes exploitation of other Netatalk memory corruption CVEs more reliable
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which restores FORTIFY_SOURCE=2 in the build system. If building from source, add -D_FORTIFY_SOURCE=2 to CFLAGS.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.