SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2026-7837
    ▲ LowCVSS 3.7EPSS 0.00236%

    TOCTOU with root privilege in ad_flush

    A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions.

    CVE IDCVE-2026-7837
    CVSS v3.13.7 Low
    VendorNetatalk
    CWECWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
    DisclosedMay 21, 2026
    StatusPublished
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Vulnerable Code
    • 04Trigger Conditions
    • 05Impact
    • 06Remediation
    • 07Timeline
    • 08References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    The ad_flush() function in Netatalk's AppleDouble handling performs a permission check (time-of-check) followed by a file write operation (time-of-use) with root privileges. A remote attacker can replace the target file with a symlink between these two operations to redirect the write.

    Vendor
    Netatalk
    Product
    Netatalk
    Severity
    Low
    CVSS Score
    3.7
    Status
    Published
    CWE
    CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
    Vector
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    3.7CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
    ScopeUnchanged
    ImpactC:N / I:L / A:N
    SeverityLow
    PoC · Exploitation Steps▲ trigger
    01No public PoC available
    03/Vulnerable Code

    The bug, and the fix.

    libatalk/adouble/ad_flush.c: ad_flush() checks file ownership then writes with root privilege without holding a lock between check and write

    Root cause: Non-atomic check-then-use pattern in ad_flush() without holding a file lock across the privilege-check and write operations

    04/Trigger Conditions

    When does this fire?

    All conditions must be true for the exploit to succeed.

    Local attacker with filesystem access races to replace a file with a symlink between the ad_flush() permission check and write operation

    05/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    Limited file modification via symlink substitution during the TOCTOU window, exploiting root privilege of ad_flush()

    06/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Upgrade to Netatalk 4.4.3 which uses O_NOFOLLOW and atomic file operations in ad_flush() to eliminate the TOCTOU window.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2026-7837, contact disclose@securin.io
    07/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    2026-03-14: Vendor notified

    2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE

    Timeline recorded · Disclosure coordinated by Securin

    08/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2026-7837

    nvd.nist.gov/vuln/detail/CVE-2026-7837 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →
    NETATA

    https://netatalk.io/security/CVE-2026-7837

    https://netatalk.io/security/CVE-2026-7837 →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum