CVE-2026-43860
Deferred Deferred - Pending Action
IMAP CRAM-MD5 Password Truncation in Mutt

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: MITRE

Description
mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43860
EUVD
EUVD-2026-26896
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
muttmua mutt to 2.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability has a low severity score (CVSS 3.7) and can lead to integrity issues, as indicated by the impact on integrity (I:L). This means that the truncation of the hash_passwd could potentially allow an attacker to interfere with the authentication process, possibly causing incorrect authentication or denial of proper authentication.

Executive Summary

This vulnerability affects mutt versions before 2.3.2, where the software sometimes truncates the hash_passwd by one byte during the IMAP auth_cram MD5 digest process.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability relates to the truncation of the hash_passwd by one byte in Mutt's IMAP auth_cram MD5 digest before version 2.3.2. Detection would involve identifying if your system is running a vulnerable version of Mutt and if CRAM-MD5 authentication is in use.

You can check the installed Mutt version with the following command:

  • mutt -v

To detect if CRAM-MD5 authentication is being used on your IMAP connections, you might monitor network traffic for the AUTH=CRAM-MD5 mechanism in IMAP sessions. For example, using tcpdump or Wireshark to filter IMAP authentication exchanges.

  • sudo tcpdump -i any -A port 143 or port 993 | grep CRAM-MD5

However, since this vulnerability is specific to Mutt's internal handling of the MD5 digest, direct detection of the truncation via commands is not straightforward.

Mitigation Strategies

The primary mitigation is to upgrade Mutt to version 2.3.2 or later, where the vulnerability has been fixed by replacing the unsafe strfcpy() call with memcpy() to correctly handle the full MD5 digest.

If upgrading immediately is not possible, consider disabling CRAM-MD5 authentication in your IMAP configuration or avoid using CRAM-MD5 with Mutt until the update is applied.

Additionally, monitor and restrict access to IMAP services to trusted users and networks to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart