Description
A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authenticated attacker to obtain limited information via crafted Spotlight RPC requests.
Published: 2026-05-21
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A dead bounds check in the Spotlight RPC unmarshaller of Netatalk leads to an unreachable code path that removes all effective bounds protection. This flaw allows a remote authenticated attacker to craft special Spotlight RPC requests and obtain limited information. The weakness is identified as CWE-561, representing dead code that can produce unintended behavior. The principal security consequence is information disclosure.

Affected Systems

Netatalk version 3.0.0 through 4.4.2 are affected. All instances of these releases can potentially be exploited by attackers who have legitimate or compromised credentials against the service.

Risk and Exploitability

The CVSS score of 3.1 categorizes this vulnerability as low to moderate. EPSS is not available, and it is not listed in the CISA KEV catalog, suggesting limited exploitation data. Based on the description, the attack requires an authenticated session to the Netatalk server; the attacker must send crafted RPC requests to trigger the misuse of the dead bounds check. While the exploit could provide only limited data, it may still aid reconnaissance activities.

Generated by OpenCVE AI on May 21, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review Netatalk advisories and apply any available patch that corrects the dead bounds check in the Spotlight RPC unmarshaller.
  • If the Spotlight RPC feature is not required, disable or remove it to eliminate the attack surface.
  • Restrict access to the Netatalk service to trusted network segments and enforce strong authentication to limit exposure to authenticated attackers.

Generated by OpenCVE AI on May 21, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-62801 netatalk security update
History

Thu, 21 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authenticated attacker to obtain limited information via crafted Spotlight RPC requests.
Title Dead bounds check in Spotlight RPC unmarshaller
Weaknesses CWE-561
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T08:23:38.881Z

Reserved: 2026-05-05T07:25:12.312Z

Link: CVE-2026-44057

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T09:16:27.930

Modified: 2026-05-21T09:16:27.930

Link: CVE-2026-44057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:00:11Z

Weaknesses