Description
An unbounded memory reallocation in the charset conversion code in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted character conversion requests.
Published: 2026-05-21
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unbounded memory reallocation in the charset conversion code of Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted character conversion requests. The flaw arises during dynamic memory allocation of multibyte character conversions, where an unbounded realloc operation can exhaust memory or trigger a crash. This results in a denial‑of‑service condition affecting availability of the Netatalk service. Though the CVSS score of 3.1 indicates a low overall risk, the potential for service interruption can be critical on production systems.

Affected Systems

The bug is present in Netatalk releases from 2.0.0 up to and including 4.4.2. All deployments running any affected Netatalk version should be evaluated, including both server and client components that perform charset conversion.

Risk and Exploitability

The CVSS score of 3.1 reflects the low impact, and there is no EPSS data or KEV listing, suggesting that the vulnerability has not been widely exploited in the wild. The updated description indicates that a remote authenticated attacker can trigger the flaw via crafted character conversion requests, making the attack vector remote but requiring authentication to the Netatalk service. Because the flaw does not provide data disclosure or code execution, the primary risk remains a remote denial of service.

Generated by OpenCVE AI on May 21, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netatalk to the latest available version that includes the fix for the unbounded realloc bug.
  • If an upgrade cannot be performed immediately, configure Netatalk to avoid using the charset conversion routine (e.g., disable or restrict multibyte support) to mitigate the risk of memory exhaustion.
  • Regularly review system logs and monitor memory usage for abnormal spikes or crashes that could indicate exploitation attempts or the presence of the vulnerability.

Generated by OpenCVE AI on May 21, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.0.0 through 4.4.2, unbounded realloc in charset conversion. Fixed in 4.5.0. An unbounded memory reallocation in the charset conversion code in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted character conversion requests.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.0.0 through 4.4.2, unbounded realloc in charset conversion. Fixed in 4.5.0.
Title Unbounded realloc in charset conversion
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:50.810Z

Reserved: 2026-05-05T07:25:20.196Z

Link: CVE-2026-44070

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:22.693

Modified: 2026-05-21T09:16:29.240

Link: CVE-2026-44070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:15:09Z

Weaknesses