Description
A race condition in the privilege toggle mechanism in Netatalk 2.2.5 through 4.4.2 allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption.
Published: 2026-05-21
Score: 3.9 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Netatalk versions 2.2.5 through 4.4.2 and involves a race condition in the privilege toggle mechanism. A local attacker can exploit the non‑reentrant toggle to obtain limited system information, modify limited data, or trigger a minor service disruption. These effects are confined to the Netatalk process and do not grant broader privilege escalation, but they may facilitate further attacks if additional information or state is compromised.

Affected Systems

The affected vendor is Netatalk. The vulnerability impacts all releases from version 2.2.5 up to and including 4.4.2. No specific patched version is currently documented in the CVE data.

Risk and Exploitability

The CVSS score of 3.9 indicates low overall severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Attackers would need local access to the Netatalk service to trigger the race condition, and success yields only modest information disclosure, data modification, or service disruption rather than full privilege escalation.

Generated by OpenCVE AI on May 21, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided fix for Netatalk once it is released, ensuring the installation applies to all affected versions.
  • If an update cannot be performed immediately, stop the Netatalk service to eliminate the attack surface until a patch is available.
  • Run the Netatalk service with the minimum required privileges to reduce the impact if the flaw were triggered.

Generated by OpenCVE AI on May 21, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.2.5 through 4.4.2, non-reentrant privilege toggle. Fixed in 4.5.0. A race condition in the privilege toggle mechanism in Netatalk 2.2.5 through 4.4.2 allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.2.5 through 4.4.2, non-reentrant privilege toggle. Fixed in 4.5.0.
Title Non-reentrant privilege toggle
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:28.533Z

Reserved: 2026-05-05T07:25:12.313Z

Link: CVE-2026-44059

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:21.467

Modified: 2026-05-21T09:16:28.147

Link: CVE-2026-44059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:00:11Z

Weaknesses