CVE-2026-44066 Overview
CVE-2026-44066 affects Netatalk, an open-source implementation of the Apple Filing Protocol (AFP) used to share files with macOS clients. The vulnerability is a set of heap out-of-bounds reads [CWE-125] in the Spotlight Remote Procedure Call (RPC) unmarshalling code. It impacts Netatalk versions 3.1.0 through 4.4.2.
A remote authenticated attacker can send crafted Spotlight RPC requests to read adjacent heap memory or trigger a limited service disruption. The flaw exposes sensitive in-process data and can degrade availability of the AFP daemon.
Critical Impact
Authenticated remote attackers can leak heap memory contents from the Netatalk daemon and induce minor service disruption through malformed Spotlight RPC traffic.
Affected Products
- Netatalk 3.1.0 through 3.1.x
- Netatalk 3.2.x and 4.x branches
- Netatalk versions up to and including 4.4.2
Discovery Timeline
- 2026-05-21 - CVE-2026-44066 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-44066
Vulnerability Analysis
Netatalk exposes Apple's Spotlight search protocol over AFP through an RPC mechanism. The server unmarshals binary structures sent by clients into in-memory objects representing queries, attribute requests, and metadata containers. Multiple code paths in this unmarshalling logic fail to validate length and offset fields against the bounds of the source buffer.
When the daemon parses a malformed Spotlight message, it reads bytes past the end of the allocated heap region. The attacker receives the leaked data either through reflected response fields or through observable error behavior. The bug class is a classic out-of-bounds read [CWE-125] rather than a write primitive.
The access scope is limited to authenticated AFP sessions. The integrity impact is rated none, while confidentiality impact is high and availability impact is low.
Root Cause
The Spotlight RPC parser trusts attacker-controlled length, count, and offset values embedded in serialized request structures. The unmarshalling routines advance read pointers based on these untrusted values without verifying that the resulting positions remain inside the input buffer. Multiple distinct code paths share this pattern, producing several variants of the same flaw.
Attack Vector
An attacker first authenticates to the AFP service with valid credentials. The attacker then opens a Spotlight session against a shared volume and submits crafted RPC messages with manipulated length and offset fields. The Netatalk daemon parses these messages and returns response data containing adjacent heap memory, or terminates the session under specific malformed inputs.
The vulnerability is described in prose only because no public proof-of-concept code is associated with this CVE. Refer to the Netatalk Security Advisory for CVE-2026-44066 for protocol-level technical details.
Detection Methods for CVE-2026-44066
Indicators of Compromise
- Unexpected afpd child process crashes or abnormal termination entries in system logs correlated with active AFP client sessions.
- AFP sessions originating from authenticated users that issue unusually large or malformed Spotlight query payloads.
- Repeated Spotlight RPC requests from a single client followed by session resets or daemon error messages.
Detection Strategies
- Monitor afpd process behavior for repeated faults, segmentation signals, or memory access errors during Spotlight operations.
- Inspect AFP traffic for Spotlight RPC messages with length or count fields that exceed the size of the enclosing message.
- Correlate authentication events with subsequent Spotlight query volume per user to surface accounts probing the parser.
Monitoring Recommendations
- Forward afpd logs and host audit data to a centralized analytics platform and alert on daemon restarts.
- Track per-user AFP session counts, Spotlight query rates, and response sizes to baseline normal behavior.
- Enable verbose Netatalk logging in environments where Spotlight is exposed and review parser-related warnings.
How to Mitigate CVE-2026-44066
Immediate Actions Required
- Upgrade Netatalk to a fixed release published after version 4.4.2 as described in the vendor advisory.
- Audit AFP user accounts and remove or rotate credentials for users who do not require file share access.
- Restrict network reachability of the AFP service to trusted client subnets using host or network firewalls.
Patch Information
The Netatalk project published a security advisory at Netatalk Security Advisory for CVE-2026-44066. Apply the patched release referenced in that advisory to all hosts running Netatalk 3.1.0 through 4.4.2. Rebuild and redeploy any container images or appliance firmware that bundle vulnerable Netatalk binaries.
Workarounds
- Disable Spotlight support in afp.conf by setting spotlight = no on shares and globally where search is not required.
- Block TCP port 548 at the network perimeter and limit AFP access to VPN or management networks.
- Where feasible, migrate clients to SMB and stop the Netatalk service until the patched version is deployed.
# Configuration example: disable Spotlight in Netatalk afp.conf
[Global]
spotlight = no
[Share]
path = /srv/share
spotlight = no
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
