CVE-2026-44066: Netatalk Heap Out-of-Bounds Read Poses High Risk
The National Vulnerability Database (NVD) has published details on CVE-2026-44066, a high-severity vulnerability impacting Netatalk versions 3.1.0 through 4.4.2. This flaw involves heap out-of-bounds reads during Spotlight RPC unmarshalling, carrying a CVSS score of 7.1. Such vulnerabilities often lead to information disclosure or denial of service, but can, in some scenarios, be chained to achieve remote code execution.
Netatalk is a widely used open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like systems to serve as file servers for macOS clients. A heap out-of-bounds read in a service like AFP, which handles network requests, is a critical concern. Attackers can craft malicious RPC requests to trigger these reads, potentially exfiltrating sensitive memory contents or crashing the service.
The fix is available in Netatalk version 4.4.3. Organizations running affected versions are exposed to significant risk. Given Netatalk’s role in file sharing, a compromise could lead to unauthorized access to files or disruption of critical network services. This isn’t theoretical; these types of flaws are consistently exploited in the wild.
What This Means For You
- If your organization uses Netatalk, you need to immediately identify all instances running versions 3.1.0 through 4.4.2. Prioritize patching to version 4.4.3 without delay. Audit your Netatalk configurations and network access controls to limit exposure while you patch.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44066: Netatalk Spotlight RPC Unmarshalling Heap OOB Read
title: CVE-2026-44066: Netatalk Spotlight RPC Unmarshalling Heap OOB Read
id: scw-2026-05-21-ai-1
status: experimental
level: high
description: |
This rule detects potential exploitation attempts against CVE-2026-44066 by looking for specific URI paths and query parameters associated with the vulnerable Spotlight RPC unmarshalling functionality in Netatalk. Successful exploitation can lead to heap out-of-bounds reads.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44066/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/.well-known/netatalk/spotlight'
cs-uri-query|contains:
- 'rpc_unmarshalling'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44066 | Memory Corruption | Netatalk versions 3.1.0 through 4.4.2 |
| CVE-2026-44066 | Buffer Overflow | Heap out-of-bounds reads in spotlight rpc unmarshalling |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 11:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVE-2026-42002 — Concurrency and locking defects in
CVE-2026-42002 — Concurrency and locking defects in GSS-TSIG
CVE-2026-42001: Autoprimary SOA Queries Vulnerability
CVE-2026-42001 — Insufficient Validation of Autoprimary SOA Queries