Afs3-fileserver Exploit May 2026

Unlike NFS or SMB, AFS uses a proprietary RPC mechanism originally derived from the Andrew File System. The afs3-fileserver handles file operations, volume management, and access control lists (ACLs).

The protocol relies on Rx (RX RPC), a remote procedure call protocol developed at Transarc Corporation. Rx packets contain: afs3-fileserver exploit

Once the confusion is established, the attacker injects a forged RXAFS_StoreData request. This call is meant to write data to a file in a user's home directory. However, due to the earlier buffer confusion, the server bypasses the pioctl access check. The result: arbitrary write access to any volume, including the system's root.afs volume. Unlike NFS or SMB, AFS uses a proprietary

In layman's terms: the attacker convinces the fileserver that they have the right to overwrite the server's own binary configuration. From there, modifying the /etc/openafs/server/KeyFile to add a new superuser key is trivial. Rx packets contain: Once the confusion is established,

To understand the exploit, you must first understand the culture of AFS. Unlike NFS (Network File System), which treats every machine as a potential enemy, AFS was built around the concept of a "cell"—a kingdom of trusted servers and clients. Authentication relied on a Kerberos-like token system. Once you obtained an AFS token, you could traverse the global filesystem with a single command: aklog.

The fileserver process (the core daemon that manages volume data) listened on UDP port 7000. For decades, security researchers glanced at it and moved on. It was old. It was obscure. It was "probably fine."

It was not fine.