Description
A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing.
Published: 2026-05-21
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netatalk, an AFP server implementation, has a format string argument mismatch vulnerability affecting versions 3.0.3 through 4.4.2. This flaw is classified as CWE‑134 and allows a remote authenticated attacker to trigger a minor denial of service by crafting input that causes incorrect format string processing. The CVSS score of 3.1 indicates a low‑severity risk in typical environments.

Affected Systems

The affected product is Netatalk, distributed under the Netatalk:Netatalk product line. The vulnerability exists in Netatalk releases 3.0.3 up to and including 4.4.2. The CVE data does not indicate a fixed version.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, which combined with the low CVSS score suggests limited exploitation probability. The attack vector is not explicitly documented, but based on the description it is inferred to be remote authenticated, with a local effect triggering a minor denial of service; no purely remote exploitation path is indicated.

Generated by OpenCVE AI on May 21, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Netatalk vendor's website or security advisories for any available patches or updates that address the format string mismatch. Apply any such patch when it becomes available.
  • If a patch is not available or cannot be applied immediately, limit Netatalk access to trusted users or a secure network segment to reduce the possibility of exploitation.
  • Validate or sanitize any inputs that could be used as format strings before they are passed to formatting functions, following best practices for input handling to mitigate CWE‑134.

Generated by OpenCVE AI on May 21, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://netatalk.io/security/CVE-2026-7835 cve-icon cve-icon
History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.0.3 through 4.4.2, format string argument mismatch. Fixed in 4.5.0. A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.0.3 through 4.4.2, format string argument mismatch. Fixed in 4.5.0.
Title Format string argument mismatch
Weaknesses CWE-134
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:58.694Z

Reserved: 2026-05-05T07:25:32.860Z

Link: CVE-2026-7835

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:23.277

Modified: 2026-05-21T09:16:30.553

Link: CVE-2026-7835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:15:09Z

Weaknesses