 |
VOOZH | about |
|
VOOZH | about |
👁 GitHub Continuous Integration - Build Status
| Subject | Missing o_len bounds check in pull_charset_flags() |
|---|---|
| CVE ID# | CVE-2026-44062 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.0.4 - 4.4.2 |
| Summary | Charset conversion can write a two-byte sequence after the remaining output length has underflowed |
Charset conversion can write beyond the remaining output space while processing crafted filename or path data. An authenticated client may be able to trigger memory corruption; practical impact depends on reaching unusual conversion states with long filenames or paths.
Apply CVE-2026-44062.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
Restrict AFP access to trusted clients until patched.
Vulnerability reported by:
Arjun Basnet from Securin
Patch developed by:
Daniel Markstedt of the Netatalk team
Go back to the Security Policy.
The source code of this website is licensed under the GNU General Public License 2.0.
