Ubuntu has released a critical security update to address multiple vulnerabilities in Netatalk, the open-source implementation of the Apple Filing Protocol (AFP). These flaws, which include risks of denial of service and path traversal attacks, could allow remote authenticated attackers to compromise affected systems. This update is essential for system administrators and IT professionals managing file-sharing services between Linux servers and macOS clients.
Failing to patch these vulnerabilities could lead to unauthorized data access, arbitrary file modifications, or complete service disruption. Security researcher Arjun Basnet discovered two primary issues within how Netatalk processes specific requests. The first vulnerability, tracked as CVE-2026-44066, stems from improper input validation when unmarshalling Spotlight Remote Procedure Call (RPC) data. A remote authenticated attacker could exploit this weakness to trigger a denial of service or extract sensitive information from the server.
The second and potentially more dangerous flaw, CVE-2026-44068, involves the improper sanitization of extended attribute path components. By exploiting this vulnerability, an attacker can execute a path traversal attack, allowing them to write arbitrary files entirely outside the intended metadata directory. This level of access poses a severe risk to the integrity of the host filesystem.
How to Secure Your Ubuntu System
To protect your infrastructure, you must apply the latest security patch immediately. You can update your system using the standard package manager commands in your terminal:
sudo apt update
sudo apt upgradeThe problem is officially corrected in specific package versions across different Ubuntu releases. Note that for older Long Term Support (LTS) releases, the patch is exclusively available through Ubuntu Pro. Ensure your system is running the following Netatalk package versions or newer:
- Ubuntu 26.04 LTS: Update to version 4.2.3~ds-2.1ubuntu0.2
- Ubuntu 24.04 LTS: Update to version 3.1.18~ds-1ubuntu0.1~esm3 (Requires Ubuntu Pro)
- Ubuntu 22.04 LTS: Update to version 3.1.12~ds-9ubuntu0.22.04.4+esm2 (Requires Ubuntu Pro)
- Ubuntu 20.04 LTS: Update to version 3.1.12~ds-4ubuntu0.20.04.4+esm2 (Requires Ubuntu Pro)
- Ubuntu 18.04 LTS: Update to version 2.2.6-1ubuntu0.18.04.2+esm4 (Requires Ubuntu Pro)
- Ubuntu 16.04 LTS: Update to version 2.2.5-1ubuntu0.2+esm4 (Requires Ubuntu Pro)
- Ubuntu 14.04 LTS: Update to version 2.2.2-1ubuntu2.2+esm4 (Requires Ubuntu Pro)
The Hidden Risks of Legacy File Protocols
The discovery of these vulnerabilities highlights a growing operational risk for enterprise environments: the continued reliance on legacy protocols. While Netatalk remains a crucial bridge for older macOS clients requiring AFP, Apple itself deprecated AFP in favor of the Server Message Block (SMB) protocol years ago. The fact that critical flaws are still surfacing in Netatalk's Spotlight RPC handling proves that maintaining backward compatibility often comes with a steep security cost.
For system administrators, this patch should serve as a catalyst for a broader infrastructure review. If your network no longer relies on legacy Apple hardware, transitioning entirely to SMB and disabling Netatalk is the most effective way to reduce your attack surface. For those who must maintain AFP support, enrolling older servers in Ubuntu Pro is no longer optional - it is a mandatory requirement to keep aging infrastructure secure against modern path traversal exploits.
