What this actually is.
Technical background, root cause, and affected surface.
After a failed chdir() call, Netatalk proceeds to call system() without aborting the operation. Since the current working directory was not changed as intended, the system() call may execute commands relative to an unexpected directory controlled by a local attacker.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3
- Status
- Published
- CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Vector
- CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/afp_unix.c or afpd/volume.c: chdir() return value not checked before subsequent system() call; execution continues on failure
Root cause: Missing error-return check on chdir(); system() called unconditionally regardless of chdir() success
When does this fire?
All conditions must be true for the exploit to succeed.
Local attacker controls the filesystem working directory of the afpd process and causes chdir() to fail to the attacker-controlled directory
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Limited OS command execution relative to an attacker-controlled working directory
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds chdir() return value checking and aborts on failure.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.