Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.
AnalysisAI
Mutt before 2.3.2 uses an unsafe string copy function (strfcpy) instead of memcpy when handling MD5 digest data in IMAP CRAM authentication, allowing attackers to potentially forge IMAP credentials by triggering buffer manipulation during the authentication handshake. The vulnerability requires manual connection attempt to a malicious IMAP server and affects network IMAP authentication flows, though the low CVSS score (3.7) reflects high attack complexity and integrity impact only.
Technical ContextAI
Mutt's IMAP CRAM-MD5 authentication mechanism uses strfcpy (a string-safe copy function designed to null-terminate strings) to copy binary MD5 digest data into a buffer. strfcpy interprets the digest data as a C string and stops copying at the first null byte encountered, potentially truncating the cryptographic hash. The correct function, memcpy, performs fixed-length binary copying without null-byte interpretation. The vulnerability resides in imap/auth_cram.c line 152 (per commit 834c5a2), where strfcpy was called on a 16-byte MD5 digest (MD5_DIGEST_LEN) that may contain null bytes. CWE-158 (Improper Neutralization of Null Byte or NUL Character) categorizes this flaw: the null bytes within the binary digest are incorrectly interpreted as string terminators, truncating the authentication material.
RemediationAI
Upgrade Mutt to version 2.3.2 or later, which replaces the strfcpy call with memcpy in the IMAP CRAM-MD5 authentication function (commit 834c5a2ed0479e51e8662a31caed129f136f4805). Users unable to upgrade immediately should restrict IMAP authentication to trusted, internal mail servers and enable TLS/SSL encryption for all IMAP connections to reduce the attack surface. Disabling CRAM-MD5 authentication in favor of other mechanisms (PLAIN over TLS, OAuth2) is a workaround if the mail server supports alternatives, though this reduces authentication security if TLS is not enforced. The trade-off of disabling CRAM-MD5 is loss of a non-plaintext authentication option; verify server support before applying this mitigation.
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, w
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26895