Arjun Basnet discovered that Netatalk improperly validated inputs when unmarshalling Spotlight Remote Procedure Call. A remote authenticated attacker could possibly use this issue to cause a denial of service or obtain sensitive information. (CVE-2026-44066)
Arjun Basnet discovered that Netatalk improperly sanitized extended attribute path components. A remote authenticated attacker could possibly use this issue to perform path traversal attacks and write to arbitrary files outside the intended metadata directory. (CVE-2026-44068)
4.2.3~ds-2.1ubuntu0.22.2.2-1ubuntu2.2+esm42.2.5-1ubuntu0.2+esm42.2.6-1ubuntu0.18.04.2+esm43.1.12~ds-4ubuntu0.20.04.4+esm23.1.12~ds-9ubuntu0.22.04.4+esm23.1.18~ds-1ubuntu0.1~esm3