PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44066 Netatalk CVE debrief

CVE-2026-44066 is a high-severity weakness in Netatalk’s Spotlight RPC unmarshalling path. The issue is described as multiple heap out-of-bounds reads affecting Netatalk 3.1.0 through 4.4.2, and it can let a remote authenticated attacker obtain sensitive information or cause a minor service disruption.

Vendor
Netatalk
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Administrators and security teams running Netatalk, especially deployments that expose Spotlight RPC functionality to authenticated network users. Systems handling shared files, macOS interoperability, or legacy Apple networking services should prioritize review.

Technical summary

According to the NVD record and the linked Netatalk advisory, the vulnerability is a heap out-of-bounds read condition in Spotlight RPC unmarshalling. NVD maps it to CVE-2026-44066 with CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L and CWE-125. The impact described is limited to confidential information disclosure and minor service disruption rather than integrity compromise.

Defensive priority

High. The attack requires authentication but is network-reachable and can expose sensitive memory content. Because the flaw affects a broad version range and involves memory safety, it should be reviewed and mitigated promptly on any exposed or shared Netatalk deployment.

Recommended defensive actions

  • Review the Netatalk security advisory for CVE-2026-44066 and apply the vendor-provided fix or upgrade path as soon as it is available.
  • Inventory all Netatalk instances and confirm whether versions 3.1.0 through 4.4.2 are in use.
  • Restrict network access to Netatalk services to trusted authenticated users and internal segments only.
  • Monitor for abnormal service behavior or unexpected crashes in components that process Spotlight RPC requests.
  • Validate that any compensating controls, such as authentication and segmentation, are actually enforced on exposed systems.

Evidence notes

Source evidence provided in the corpus states: “Multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in Netatalk 3.1.0 through 4.4.2 allow a remote authenticated attacker to obtain sensitive information or cause a minor service disruption.” NVD assigns CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L and CWE-125. The only product-specific reference supplied is the Netatalk advisory URL.

Official resources

CVE published and last modified on 2026-05-21. NVD marked the record as received the same day, and the supplied source reference points to the Netatalk security advisory.