Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable malformed status code with no auth or interaction triggers a crash, so AV:N/AC:L/PR:N/UI:N; impact is availability-only (A:H), with C:N/I:N.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
9DescriptionNVD
Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
AnalysisAI
Remote denial of service in the Postfix mail transfer agent (before 3.8.16, 3.9.x before 3.9.10, and 3.10.x before 3.10.9) lets attackers crash the process through a malformed enhanced status code that ends immediately after the third numeric component with no trailing text, triggering a buffer over-read. The flaw affects availability only - no data exposure or code execution - and has no public exploit identified at time of analysis. EPSS is very low (0.04%, 11th percentile) and CISA SSVC rates exploitation as none and non-automatable, consistent with a crash-only bug.
Technical ContextAI
Postfix is a widely used open-source SMTP mail transfer agent. RFC 3463 enhanced status codes take the form 'class.subject.detail' (three dot-separated numbers) optionally followed by descriptive text. The vulnerability is rooted in CWE-193 (off-by-one error): when Postfix parses an enhanced status code that terminates right after the third number with no following text, the parser reads past the end of the buffer. The single affected CPE is cpe:2.3:a:postfix:postfix, indicating the upstream Postfix codebase itself rather than a downstream wrapper, so all distributions packaging the vulnerable releases inherit the bug.
RemediationAI
Vendor-released patch: upgrade to Postfix 3.8.16, 3.9.10, or 3.10.9 (or later) depending on your branch; these are the fixed releases per the Postfix announcement at https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html. Red Hat users should apply the distribution updates in RHSA-2026:25930, RHSA-2026:25932, or RHSA-2026:26205 as referenced at https://access.redhat.com/security/cve/CVE-2026-43964. Because the bug is a parser over-read with no configuration toggle to disable it, there is no clean feature-level workaround; as a compensating control while patching, restrict which SMTP peers Postfix talks to by tightening relay/smtp client access and firewalling the SMTP service to trusted networks to reduce exposure to attacker-supplied status codes, accepting the trade-off that this limits legitimate mail connectivity and does not fully eliminate the trigger. Monitor for unexpected smtpd/smtp process restarts as a detection signal.
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and
A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homog
Same weakness CWE-193 – Off-by-one Error
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27115