Description
A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code.
Published: 2026-05-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netatalk, a file sharing service, has a logic error involving bitwise OR operations across versions 3.1.4 through 4.4.2 that lets a remote authenticated attacker inject OS commands and execute arbitrary code. This flaw allows execution with the privileges of the Netatalk daemon, resulting in full compromise of the affected system. The vulnerability is a command injection (CWE-78).

Affected Systems

Netatalk versions 3.1.4 through 4.4.2 are vulnerable. Version 4.4.3 and later include the fix.

Risk and Exploitability

The vulnerability receives a CVSS score of 7.5, indicating high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed, widespread exploitation at the time of this analysis. The likely attack vector is remote access to the Netatalk service, which is commonly exposed over network ports.

Generated by OpenCVE AI on May 21, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netatalk to version 4.4.3 or later to apply the vendor patch
  • If an upgrade is not immediately possible, disable or remove the functionality that triggers the bitwise OR logic bug to prevent command injection
  • Configure Netatalk to run with minimal privileges and restrict shell execution capabilities
  • Monitor Netatalk logs for anomalous command execution attempts and apply rate limiting on client connections

Generated by OpenCVE AI on May 21, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-62801 netatalk security update
History

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.1.4 through 4.4.2, bitwise or logic bug enables shell injection. Fixed in 4.4.3. A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.1.4 through 4.4.2, bitwise or logic bug enables shell injection. Fixed in 4.4.3.
Title Bitwise OR logic bug enables shell injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T12:35:12.649Z

Reserved: 2026-05-05T07:24:42.291Z

Link: CVE-2026-44055

cve-icon Vulnrichment

Updated: 2026-05-21T12:35:08.562Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T08:16:21.137

Modified: 2026-05-21T15:20:19.040

Link: CVE-2026-44055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T10:30:08Z

Weaknesses