Description
A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.
Published: 2026-05-21
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests as a heap over‑read in Netatalk’s extended attribute (EA) header parsing. A remote, authenticated attacker can supply crafted EA data that causes the parser to read memory beyond the intended boundary, resulting in the disclosure of limited internal data or a minor service disruption. The weakness is represented by CWE‑125, which highlights improper bounds checking in memory operations.

Affected Systems

Netatalk versions 2.1.0 through 4.4.2 are impacted. Any deployment running those releases without a corrective update is susceptible to the described flaw. The exact patch level that resolves the issue is not specified in the advisory.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity. Because the EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation remains uncertain. The flaw requires the attacker to be authenticated with the Netatalk server and to trigger EA header parsing as part of normal client activity. There is no evidence of remote code execution or privilege escalation; the primary consequence is limited information disclosure, with the possible secondary impact of a brief disruption.

Generated by OpenCVE AI on May 21, 2026 at 11:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied fix or upgrade to a later Netatalk release once the update becomes available.
  • Limit client connections to Netatalk services to authenticated, trusted users through network segmentation or firewall rules.
  • Monitor system logs for abnormal EA activity and audit for unexpected memory usage patterns.

Generated by OpenCVE AI on May 21, 2026 at 11:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.1.0 through 4.4.2, ea header parsing heap over-read. Fixed in 4.5.0. A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.1.0 through 4.4.2, ea header parsing heap over-read. Fixed in 4.5.0.
Title EA header parsing heap over-read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:44.746Z

Reserved: 2026-05-05T07:25:20.196Z

Link: CVE-2026-44067

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:22.363

Modified: 2026-05-21T09:16:28.943

Link: CVE-2026-44067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:15:09Z

Weaknesses