What this actually is.
Technical background, root cause, and affected surface.
The hextoint() macro in Netatalk only handles lowercase hexadecimal characters (a-f) and does not convert uppercase hex digits (A-F). When uppercase hex is encountered, the macro returns an incorrect value, causing silent data corruption in any code path that processes hex-encoded AFP data.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3.1
- Status
- Published
- CWE
- CWE-682: Incorrect Calculation
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
include/atalk/util.h or libatalk: hextoint macro handles 0-9 and a-f but not A-F; uppercase returns garbage value
Root cause: hextoint macro missing case conversion (tolower()) or explicit handling of uppercase A-F hex digits
When does this fire?
All conditions must be true for the exploit to succeed.
AFP client sends hex-encoded data containing uppercase hex digits in a field processed by hextoint()
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Incorrect parsing of hex-encoded AFP data; potential data integrity issues or unexpected protocol behavior
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which fixes hextoint() to handle both upper and lowercase hexadecimal digits correctly.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.