Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
In mutt before 2.3.2, the imap_auth_gss security level is mishandled.
AnalysisAI
Mutt before 2.3.2 mishandles the IMAP GSS security level due to improper integer casting and insufficient bounds checking, allowing remote attackers to trigger memory corruption and information disclosure via a crafted IMAP server response during GSS-API authentication. The vulnerability requires high attack complexity (malicious IMAP server) but affects all versions prior to 2.3.2.
Technical ContextAI
The vulnerability exists in mutt's IMAP GSS-API authentication handler (imap/auth_gss.c). The code performs network-order conversion (ntohl) of a 4-byte security level field from the IMAP server without first verifying the received token contains at least 4 bytes. The original code cast this field as a long pointer on systems where long may be 64-bit, creating a type mismatch between the declared variable (unsigned long) and the actual 32-bit network data (uint32_t). This combination of insufficient bounds checking (CWE-843: Access of Memory Location Using Variable with Incorrect Type) and potential integer overflow allows reading or writing adjacent memory. The GSS-API security negotiation phase occurs unauthenticated during IMAP session setup.
RemediationAI
Upgrade mutt to version 2.3.2 or later. Users on systems where patched versions are not yet available should disable GSS-API authentication by removing 'gss' from the imap_authenticators configuration setting or by not connecting to IMAP servers that require or offer GSS-API. Note that disabling GSS-API may restrict authentication options if the IMAP server requires Kerberos; coordinate with mail server administrators for alternative authentication methods. No workarounds exist for patched versions.
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu
The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, w
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26900