What this actually is.
Technical background, root cause, and affected surface.
The ad_flush() function in Netatalk's AppleDouble handling performs a permission check (time-of-check) followed by a file write operation (time-of-use) with root privileges. A remote attacker can replace the target file with a symlink between these two operations to redirect the write.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Low
- CVSS Score
- 3.7
- Status
- Published
- CWE
- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
libatalk/adouble/ad_flush.c: ad_flush() checks file ownership then writes with root privilege without holding a lock between check and write
Root cause: Non-atomic check-then-use pattern in ad_flush() without holding a file lock across the privilege-check and write operations
When does this fire?
All conditions must be true for the exploit to succeed.
Local attacker with filesystem access races to replace a file with a symlink between the ad_flush() permission check and write operation
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Limited file modification via symlink substitution during the TOCTOU window, exploiting root privilege of ad_flush()
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which uses O_NOFOLLOW and atomic file operations in ad_flush() to eliminate the TOCTOU window.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.