Skip to main content

Mutt EUVDEUVD-2026-26895

| CVE-2026-43859 LOW
Improper Neutralization of Null Byte or NUL Character (CWE-158)
2026-05-04 mitre
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

7
Patch available
May 04, 2026 - 07:31 EUVD
Source Code Evidence Fetched
May 04, 2026 - 07:30 vuln.today
Analysis Generated
May 04, 2026 - 07:30 vuln.today
Patch released
May 04, 2026 - 07:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26895
Analysis Generated
May 04, 2026 - 07:00 vuln.today
CVE Published
May 04, 2026 - 05:41 nvd
LOW 3.7

DescriptionCVE.org

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.

AnalysisAI

Mutt before 2.3.2 uses an unsafe string copy function (strfcpy) instead of memcpy when handling MD5 digest data in IMAP CRAM authentication, allowing attackers to potentially forge IMAP credentials by triggering buffer manipulation during the authentication handshake. The vulnerability requires manual connection attempt to a malicious IMAP server and affects network IMAP authentication flows, though the low CVSS score (3.7) reflects high attack complexity and integrity impact only.

Technical ContextAI

Mutt's IMAP CRAM-MD5 authentication mechanism uses strfcpy (a string-safe copy function designed to null-terminate strings) to copy binary MD5 digest data into a buffer. strfcpy interprets the digest data as a C string and stops copying at the first null byte encountered, potentially truncating the cryptographic hash. The correct function, memcpy, performs fixed-length binary copying without null-byte interpretation. The vulnerability resides in imap/auth_cram.c line 152 (per commit 834c5a2), where strfcpy was called on a 16-byte MD5 digest (MD5_DIGEST_LEN) that may contain null bytes. CWE-158 (Improper Neutralization of Null Byte or NUL Character) categorizes this flaw: the null bytes within the binary digest are incorrectly interpreted as string terminators, truncating the authentication material.

RemediationAI

Upgrade Mutt to version 2.3.2 or later, which replaces the strfcpy call with memcpy in the IMAP CRAM-MD5 authentication function (commit 834c5a2ed0479e51e8662a31caed129f136f4805). Users unable to upgrade immediately should restrict IMAP authentication to trusted, internal mail servers and enable TLS/SSL encryption for all IMAP connections to reduce the attack surface. Disabling CRAM-MD5 authentication in favor of other mechanisms (PLAIN over TLS, OAuth2) is a workaround if the mail server supports alternatives, though this reduces authentication security if TLS is not enforced. The trade-off of disabling CRAM-MD5 is loss of a non-plaintext authentication option; verify server support before applying this mitigation.

More in Mutt

View all
CVE-2018-14362 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14359 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14358 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14357 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14356 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14354 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14353 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14352 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14351 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14350 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14349 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2014-9116 MEDIUM POC
5.0 Dec 02

The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, w

Share

EUVD-2026-26895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy