Skip to main content

Mutt EUVDEUVD-2026-26902

| CVE-2026-43863 LOW
Incorrect Check of Function Return Value (CWE-253)
2026-05-04 mitre
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

7
Patch available
May 04, 2026 - 07:31 EUVD
Source Code Evidence Fetched
May 04, 2026 - 07:31 vuln.today
Analysis Generated
May 04, 2026 - 07:31 vuln.today
Patch released
May 04, 2026 - 07:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26902
Analysis Generated
May 04, 2026 - 07:00 vuln.today
CVE Published
May 04, 2026 - 06:05 nvd
LOW 3.7

DescriptionCVE.org

mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c.

AnalysisAI

Mutt before version 2.3.2 contains an infinite loop in the data_object_to_stream function within crypt-gpgme.c that can be triggered during GPG encryption operations, leading to denial of service. The vulnerability affects remote attackers under high-complexity conditions (requiring specific GPG-encrypted message handling), and is publicly documented via a GitHub commit but has no active exploitation confirmed. The fix changes the loop condition from checking non-zero read results to explicitly checking for positive read values (> 0), preventing infinite iteration when gpgme_data_read returns zero or negative values.

Technical ContextAI

Mutt is an email client that uses the GPGME (GnuPG Made Easy) library for OpenPGP cryptographic operations. The vulnerable code path is in crypt-gpgme.c, the function responsible for converting GPGME data objects to output streams during encryption/decryption workflows. The root cause is CWE-253 (Incorrect Check of Function Return Value), where the code fails to properly validate the return value of gpgme_data_read(). The original while loop condition (while ((nread = gpgme_data_read(data, buf, sizeof (buf))))) treats any non-zero value-including error returns or zero-length reads-as continuation, causing the loop to never terminate if gpgme_data_read returns 0 or a negative error code. The fix explicitly checks for positive values (> 0), ensuring the loop only continues when data is actually read.

RemediationAI

Upgrade mutt to version 2.3.2 or later, which includes the fix to the loop condition in data_object_to_stream(). The patch is minimal and available in the upstream repository commit fdc04a171777327218a1e78db504926c388b48c4. Most distributions will release patched packages; verify availability via your package manager or download from the Mutt project (https://github.com/muttmua/mutt/releases). As a temporary workaround pending patching, administrators can disable GPG/GPGME support in mutt's configuration by setting appropriate crypt options, though this eliminates encryption functionality. Alternatively, restrict message processing to trusted sources or implement resource limits (timeout/memory) at the mail client process level to mitigate DoS impact if the vulnerability is triggered. The trivial nature of the fix makes delay inadvisable.

More in Mutt

View all
CVE-2018-14362 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14359 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14358 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14357 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14356 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14354 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14353 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14352 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14351 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14350 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2018-14349 CRITICAL
9.8 Jul 17

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. Rated critical severity (CVSS 9.8), this vu

CVE-2014-9116 MEDIUM POC
5.0 Dec 02

The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, w

Share

EUVD-2026-26902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy