Description
Netatalk 2.2.1 through 4.4.2 calls system() after a failed chdir() without properly handling the error condition, which allows a local privileged user to execute unintended commands or cause a minor service disruption under specific conditions.
Published: 2026-05-21
Score: 2.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netatalk, a file‑sharing service, has a flaw where the OS function system() is called after a failed chdir() without properly handling the error. According to the updated description, this behavior enables a local privileged user to execute unintended commands or cause a minor service disruption under specific conditions. The weakness corresponds to OS command injection (CWE‑78). The impact is confined to the user running the Netatalk process and does not grant remote code execution or privilege escalation, which explains the low CVSS score.

Affected Systems

The vulnerability exists in Netatalk versions 2.2.1 through 4.4.2. Netatalk is distributed by the Netatalk project and is typically deployed on Unix‑like servers that provide Apple file‑sharing services.

Risk and Exploitability

The CVSS score of 2.5 reflects a low risk level. EPSS data is unavailable, and the flaw is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The vulnerability requires a local attacker to trigger a chdir() failure and subsequently influence the system() call, which typically demands specific input or conditions. Therefore, the likelihood of exploitation is low and the attack vector is inferred to be local.

Generated by OpenCVE AI on May 21, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed Netatalk version and install the latest release if a security update is available.
  • If upgrading cannot be performed immediately, run the Netatalk service under a restricted user account that lacks the ability to execute arbitrary system commands.
  • Enable detailed logging of directory changes and system() invocations, and monitor logs for unexpected command executions originating from Netatalk.

Generated by OpenCVE AI on May 21, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.2.1 through 4.4.2, system() after failed chdir(). Fixed in 4.5.0. Netatalk 2.2.1 through 4.4.2 calls system() after a failed chdir() without properly handling the error condition, which allows a local privileged user to execute unintended commands or cause a minor service disruption under specific conditions.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.2.1 through 4.4.2, system() after failed chdir(). Fixed in 4.5.0.
Title system() after failed chdir()
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:52.706Z

Reserved: 2026-05-05T07:25:20.196Z

Link: CVE-2026-44072

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:22.807

Modified: 2026-05-21T09:16:29.460

Link: CVE-2026-44072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:15:09Z

Weaknesses