What this actually is.
Technical background, root cause, and affected surface.
A format string function call in Netatalk has a mismatch between the format specifier and the argument type or count. This can cause the function to read unintended values from the stack, potentially disclosing stack memory contents.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3.1
- Status
- Published
- CWE
- CWE-134: Use of Externally-Controlled Format String
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd or libatalk: LOG() or printf-family call with mismatched format string arguments (e.g., %s used with integer argument)
Root cause: Format string specifier does not match the type of the corresponding argument in a printf-family or LOG() call
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client triggers the code path containing the mismatched format string call
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Limited stack memory disclosure via format string argument mismatch; potential daemon instability
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which corrects all format string argument mismatches. Build with -Wformat -Wformat-security to detect future issues.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.