Login Sign Up

CVE-2024-38441

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

This CVE describes a heap-based buffer overflow vulnerability in Netatalk's AFP service due to an off-by-one error when processing file/directory names. Attackers can exploit this to execute arbitrary code or crash the service. All systems running vulnerable Netatalk versions with AFP enabled are affected.

💻 Affected Systems

Products:
  • Netatalk
Versions: All versions before 2.4.1, 3.1.19, and 3.2.1
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with AFP service enabled (default in many Netatalk installations).

📦 What is this software?

Netatalk by Netatalk

View all CVEs affecting Netatalk →

Netatalk by Netatalk

View all CVEs affecting Netatalk →

Netatalk by Netatalk

View all CVEs affecting Netatalk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Service crash causing denial of service, potentially followed by remote code execution if exploit is refined.

🟢

If Mitigated

Denial of service only if exploit attempts are blocked or fail, with no privilege escalation.

🌐 Internet-Facing: HIGH - Netatalk AFP service often exposed to network, CVSS 9.8 indicates network-accessible attack vector.
🏢 Internal Only: HIGH - Even internally, this allows lateral movement and privilege escalation within networks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

CVSS 9.8 suggests relatively straightforward exploitation, but no public exploit code confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1, 3.1.19, or 3.2.1

Vendor Advisory: https://netatalk.io/security/CVE-2024-38441

Restart Required: Yes

Instructions:

1. Stop Netatalk service. 2. Update to patched version via package manager or source compilation. 3. Restart Netatalk service.

🔧 Temporary Workarounds

Disable AFP Service

linux

Temporarily disable the vulnerable AFP protocol if not required

sudo systemctl stop netatalk
sudo systemctl disable netatalk

Network Segmentation

linux

Restrict access to Netatalk AFP port (548/tcp) using firewall rules

sudo iptables -A INPUT -p tcp --dport 548 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit AFP service exposure
  • Deploy runtime protection/ASLR to make exploitation more difficult

🔍 How to Verify

Check if Vulnerable:

Check Netatalk version: netatalk -v or dpkg -l | grep netatalk

Check Version:

netatalk -v 2>/dev/null || dpkg -l netatalk 2>/dev/null || rpm -q netatalk 2>/dev/null

Verify Fix Applied:

Confirm version is 2.4.1, 3.1.19, or 3.2.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Netatalk crash logs
  • Unexpected AFP connection attempts
  • Memory corruption errors in system logs

Network Indicators:

  • Unusual traffic to TCP port 548
  • Malformed AFP protocol packets

SIEM Query:

source="netatalk.log" AND ("segmentation fault" OR "buffer overflow" OR "crash")

📊 Metadata

CVE ID: CVE-2024-38441
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-193
Published: June 16, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38441, you might also want to check these:

CVE-2024-10442 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on affected Synology s...

Same vulnerability type (CWE-193)
CVE-2023-46853 9.8

This CVE describes an off-by-one error in Memcached proxy mode when processing requests with newline...

Same vulnerability type (CWE-193)
CVE-2021-31875 9.8

CVE-2021-31875 is an off-by-one heap-based buffer overflow vulnerability in mjs_json_parse function ...

Same vulnerability type (CWE-193)