Skip to main content

Postfix CVE-2026-43964

| EUVDEUVD-2026-27115 HIGH
Off-by-one Error (CWE-193)
2026-05-04 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable malformed status code with no auth or interaction triggers a crash, so AV:N/AC:L/PR:N/UI:N; impact is availability-only (A:H), with C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 30, 2026 - 04:25 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:25 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:25 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:22 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
LOW HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
3.7 (LOW) 7.5 (HIGH)
Patch available
May 04, 2026 - 20:01 EUVD
Analysis Generated
May 04, 2026 - 19:30 vuln.today

DescriptionNVD

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

AnalysisAI

Remote denial of service in the Postfix mail transfer agent (before 3.8.16, 3.9.x before 3.9.10, and 3.10.x before 3.10.9) lets attackers crash the process through a malformed enhanced status code that ends immediately after the third numeric component with no trailing text, triggering a buffer over-read. The flaw affects availability only - no data exposure or code execution - and has no public exploit identified at time of analysis. EPSS is very low (0.04%, 11th percentile) and CISA SSVC rates exploitation as none and non-automatable, consistent with a crash-only bug.

Technical ContextAI

Postfix is a widely used open-source SMTP mail transfer agent. RFC 3463 enhanced status codes take the form 'class.subject.detail' (three dot-separated numbers) optionally followed by descriptive text. The vulnerability is rooted in CWE-193 (off-by-one error): when Postfix parses an enhanced status code that terminates right after the third number with no following text, the parser reads past the end of the buffer. The single affected CPE is cpe:2.3:a:postfix:postfix, indicating the upstream Postfix codebase itself rather than a downstream wrapper, so all distributions packaging the vulnerable releases inherit the bug.

RemediationAI

Vendor-released patch: upgrade to Postfix 3.8.16, 3.9.10, or 3.10.9 (or later) depending on your branch; these are the fixed releases per the Postfix announcement at https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html. Red Hat users should apply the distribution updates in RHSA-2026:25930, RHSA-2026:25932, or RHSA-2026:26205 as referenced at https://access.redhat.com/security/cve/CVE-2026-43964. Because the bug is a parser over-read with no configuration toggle to disable it, there is no clean feature-level workaround; as a compensating control while patching, restrict which SMTP peers Postfix talks to by tightening relay/smtp client access and firewalling the SMTP service to trusted networks to reduce exposure to attacker-supplied status codes, accepting the trade-off that this limits legitimate mail connectivity and does not fully eliminate the trigger. Monitor for unexpected smtpd/smtp process restarts as a detection signal.

Share

CVE-2026-43964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy