Skip to main content

mutt CVE-2026-43860

| EUVDEUVD-2026-26896 LOW
Off-by-one Error (CWE-193)
2026-05-04 mitre
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

7
Patch available
May 04, 2026 - 07:31 EUVD
Source Code Evidence Fetched
May 04, 2026 - 07:30 vuln.today
Analysis Generated
May 04, 2026 - 07:30 vuln.today
Patch released
May 04, 2026 - 07:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26896
Analysis Generated
May 04, 2026 - 07:00 vuln.today
CVE Published
May 04, 2026 - 05:45 nvd
LOW 3.7

DescriptionCVE.org

mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest.

AnalysisAI

mutt before version 2.3.2 truncates the IMAP CRAM-MD5 authentication hash by one byte due to incorrect use of strfcpy instead of memcpy, potentially allowing attackers to bypass or weaken authentication on IMAP connections through off-by-one string handling errors.

Technical ContextAI

mutt is a text-based email client that supports IMAP authentication via the CRAM-MD5 mechanism, which uses an MD5 HMAC digest to authenticate users without transmitting passwords in cleartext. The vulnerability exists in the imap/auth_cram.c module's hmac_md5 function, specifically in how it copies the MD5 password hash into a buffer. The root cause is classified as CWE-193 (Off-by-one Error): the original code used strfcpy, a string copy function that treats the input as a null-terminated string and stops at the first null byte. MD5 digests are binary data (16 bytes) that may contain null bytes, causing premature truncation. The fix replaces strfcpy with memcpy, which copies a fixed number of bytes (MD5_DIGEST_LEN = 16) without null-byte interpretation, preserving the complete binary hash.

RemediationAI

Upgrade mutt to version 2.3.2 or later. The fix is available in upstream commit 834c5a2ed0479e51e8662a31caed129f136f4805 on GitHub (https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805), which replaces the strfcpy call with memcpy in the hmac_md5 function. Users unable to upgrade immediately can mitigate by switching to alternative IMAP authentication methods supported by their mail server, such as PLAIN (over TLS), LOGIN, or XOAUTH2, rather than CRAM-MD5-this eliminates the attack surface entirely but requires reconfiguration of .muttrc authentication settings and server support for alternatives. Another mitigation is to restrict IMAP connections to servers enforcing TLS to prevent interception of the truncated hash during transit, though this does not fix the underlying cryptographic weakness.

More in Mutt

View all
CVE-2018-14362 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14359 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14358 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14357 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14356 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14354 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14353 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14352 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14351 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14350 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14349 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2014-9116 MEDIUM POC
5.0 Dec 02

The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, w

Share

CVE-2026-43860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy