Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest.
AnalysisAI
mutt before version 2.3.2 truncates the IMAP CRAM-MD5 authentication hash by one byte due to incorrect use of strfcpy instead of memcpy, potentially allowing attackers to bypass or weaken authentication on IMAP connections through off-by-one string handling errors.
Technical ContextAI
mutt is a text-based email client that supports IMAP authentication via the CRAM-MD5 mechanism, which uses an MD5 HMAC digest to authenticate users without transmitting passwords in cleartext. The vulnerability exists in the imap/auth_cram.c module's hmac_md5 function, specifically in how it copies the MD5 password hash into a buffer. The root cause is classified as CWE-193 (Off-by-one Error): the original code used strfcpy, a string copy function that treats the input as a null-terminated string and stops at the first null byte. MD5 digests are binary data (16 bytes) that may contain null bytes, causing premature truncation. The fix replaces strfcpy with memcpy, which copies a fixed number of bytes (MD5_DIGEST_LEN = 16) without null-byte interpretation, preserving the complete binary hash.
RemediationAI
Upgrade mutt to version 2.3.2 or later. The fix is available in upstream commit 834c5a2ed0479e51e8662a31caed129f136f4805 on GitHub (https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805), which replaces the strfcpy call with memcpy in the hmac_md5 function. Users unable to upgrade immediately can mitigate by switching to alternative IMAP authentication methods supported by their mail server, such as PLAIN (over TLS), LOGIN, or XOAUTH2, rather than CRAM-MD5-this eliminates the attack surface entirely but requires reconfiguration of .muttrc authentication settings and server support for alternatives. Another mitigation is to restrict IMAP connections to servers enforcing TLS to prevent interception of the truncated hash during transit, though this does not fix the underlying cryptographic weakness.
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, w
Same weakness CWE-193 – Off-by-one Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26896