Primary

Context

Netatalk Directory Change Failure Vulnerability Leading to Improper Command Execution

Vulnerability

Patched

A vulnerability exists in Netatalk versions 2.2.1 prior to 4.4.2, where the 'system()' function is called after a failed 'chdir()' operation. This issue can cause the CNID database cleanup process to inadvertently affect files in the wrong directory. Although the executed command is fixed and not subject to injection, the vulnerability could be exploited by manipulating the service environment to induce directory change failures.

Impact

Exploitation of this vulnerability could disrupt the CNID database cleanup process, causing it to operate on files in incorrect directories.

Remediation

Users can upgrade to Netatalk version 4.5.0 or later, which includes the necessary patch. Alternatively, the patch can be applied to a Netatalk 4.4.2 source tree. The Netatalk team advises against proactively applying the patch to existing deployments due to the low likelihood of exploitation.

Added: May 21, 2026, 8:51 AM

Updated: May 21, 2026, 8:51 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.0

exploitability

3.5

remediation

8.3

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.0

exploitability

3.5

remediation

8.3

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Netatalk Directory Change Failure Vulnerability Leading to Improper Command Execution

Vulnerability

Impact

Remediation

Affected Products

Netatalk

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating