Description
An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input.
Published: 2026-05-21
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a bug in the hextoint macro used by Netatalk between versions 2.0.0 and 4.4.2. The macro incorrectly handles uppercase hexadecimal characters, which can cause the value to be parsed incorrectly. This allows a remote authenticated attacker to send crafted hexadecimal input that results in limited data modification on the server. The weakness is identified as CWE-682 and the CVSS score of 3.1 indicates a low severity impact focused on data integrity rather than disclosure or execution.

Affected Systems

Netatalk software, versions 2.0.0 through 4.4.2, used on Apple‑style servers and Unix‑based file sharing services. All installations running any of these versions are susceptible until the fix is applied.

Risk and Exploitability

The CVSS base score of 3.1 reflects a low‑risk condition. No exploitation reports are available and the EPSS value is not disclosed. The vulnerability is not listed in CISA’s KEV catalog, meaning no publicly known large‑scale attacks have leveraged it. Exploitation would require an attacker to send specially crafted data to the server to trigger the macro’s bug, which may result in a local mis‑interpretation of values or limited data modification. The risk remains mitigated by the absence of advanced attack vectors and the low score.

Generated by OpenCVE AI on May 21, 2026 at 10:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Netatalk version 4.5.0 or later to apply the fix for the hextoint macro bug.
  • Restrict network access to the Netatalk service from untrusted hosts to reduce the attack surface.
  • Monitor server logs for anomalous hexadecimal inputs or unexpected service interruptions that may indicate exploitation attempts.

Generated by OpenCVE AI on May 21, 2026 at 10:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://netatalk.io/security/CVE-2026-7836 cve-icon cve-icon
History

Thu, 21 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.0.0 through 4.4.2, hextoint macro uppercase bug. Fixed in 4.5.0. An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input.

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.0.0 through 4.4.2, hextoint macro uppercase bug. Fixed in 4.5.0.
Title hextoint macro uppercase bug
Weaknesses CWE-682
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:53:03.045Z

Reserved: 2026-05-05T07:25:35.245Z

Link: CVE-2026-7836

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:23.403

Modified: 2026-05-21T09:16:30.680

Link: CVE-2026-7836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T10:45:08Z

Weaknesses