Description
A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions.
Published: 2026-05-21
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A time‑of‑check time‑of‑use flaw in the Netatalk ad_flush function allows a remote attacker to perform limited data modifications when the code is executed with root privileges. The weakness involves root‑privileged file operations and is triggered only under specific race conditions, so the malicious outcome is not a full compromise but potentially destructive changes to files handled by the service.

Affected Systems

Netatalk 3.0.0 through 4.4.2 is affected by this vulnerability. Any installation of these versions that runs the ad_flush functionality and is exposed to remote connections is at risk.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity, and the EPSS score is not available, suggesting a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to induce a race condition during a remote request that triggers ad_flush, which makes the attack complex and environment‑specific. While the impact is limited to data modification, it occurs with root privileges, raising the seriousness of the flaw even though widespread exploitation appears unlikely.

Generated by OpenCVE AI on May 21, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Netatalk to a version where the TOCTOU bug is fixed, if a patch has been released.
  • If no patch is available, stop or restrict the Netatalk service to prevent remote access.
  • Configure firewall rules to limit inbound connections to the Netatalk port to trusted hosts only.
  • If possible, run Netatalk under a non‑privileged user account instead of root to mitigate the effect of the race condition.

Generated by OpenCVE AI on May 21, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://netatalk.io/security/CVE-2026-7837 cve-icon cve-icon
History

Thu, 21 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions.
Title TOCTOU with root privilege in ad_flush
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T08:23:46.648Z

Reserved: 2026-05-05T07:25:36.674Z

Link: CVE-2026-7837

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T09:16:30.803

Modified: 2026-05-21T09:16:30.803

Link: CVE-2026-7837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T10:30:08Z

Weaknesses