Primary

Context

Netatalk Missing o_len Bounds Check in Charset Conversion Function Vulnerability

Vulnerability

Patched

A vulnerability exists in Netatalk versions 2.0.4 through 4.4.2, due to a missing bounds check in the 'pull_charset_flags()' function. This flaw allows for memory corruption by writing beyond the allocated output space while handling crafted filename or path data. An authenticated client could potentially exploit this issue, with the actual impact depending on triggering specific conversion states with unusually long filenames or paths.

Impact

Exploitation of this vulnerability can lead to memory corruption, with the potential for arbitrary code execution.

Remediation

Users can upgrade to Netatalk version 4.4.3 or later, which includes the necessary patch. Alternatively, the patch can be applied to a Netatalk 4.4.2 source tree to hotfix the vulnerability.

Added: May 21, 2026, 8:37 AM

Updated: May 21, 2026, 8:37 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.6

exploitability

4.9

remediation

7.9

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.6

exploitability

4.9

remediation

7.9

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Netatalk Missing o_len Bounds Check in Charset Conversion Function Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Netatalk

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating