CVE-2026-43859
Deferred Deferred - Pending Action
Buffer Overflow in Mutt Email Client

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: MITRE

Description
mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43859
EUVD
EUVD-2026-26895
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mutt mutt to 2.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-158 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Mutt versions before 2.3.2 in the IMAP CRAM-MD5 authentication mechanism. The issue was that the code used strfcpy() to copy the raw binary MD5 digest of a secret during authentication. Because strfcpy() can truncate the value if it contains a null byte or due to an off-by-one error in the size parameter, the full MD5 digest was not always copied correctly.

The fix replaced strfcpy() with memcpy() to ensure the entire MD5 digest is copied properly, preventing truncation and ensuring correct handling of secrets longer than the MD5 block length.

Impact Analysis

The vulnerability could lead to incorrect handling of the MD5 digest during IMAP CRAM-MD5 authentication, potentially causing authentication failures or weakening the authentication process.

However, this issue is of low severity (CVSS 3.7) and likely has limited impact because CRAM-MD5 is rarely used and most passwords are shorter than 64 bytes, reducing the chance of triggering the truncation problem.

Detection Guidance

This vulnerability affects Mutt versions before 2.3.2 when using the IMAP CRAM-MD5 authentication mechanism. Detection involves identifying if your system is running a vulnerable version of Mutt and if CRAM-MD5 authentication is in use.

  • Check the installed Mutt version with the command: mutt -v
  • Inspect your email client configuration files (e.g., ~/.muttrc) for usage of IMAP with CRAM-MD5 authentication.
  • Monitor network traffic for IMAP authentication attempts using CRAM-MD5 by capturing packets with tools like tcpdump or Wireshark and filtering for IMAP AUTH commands.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Mutt to version 2.3.2 or later, where the issue with incorrect copying of the MD5 digest during IMAP CRAM-MD5 authentication has been fixed.

If upgrading immediately is not possible, consider disabling CRAM-MD5 authentication in your Mutt configuration to avoid triggering the vulnerable code path.

Additionally, monitor authentication logs for unusual activity and ensure that strong passwords are used, as the vulnerability mainly affects handling of longer secrets.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart