CVE-2026-43860
IMAP CRAM-MD5 Password Truncation in Mutt
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| muttmua | mutt | to 2.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability has a low severity score (CVSS 3.7) and can lead to integrity issues, as indicated by the impact on integrity (I:L). This means that the truncation of the hash_passwd could potentially allow an attacker to interfere with the authentication process, possibly causing incorrect authentication or denial of proper authentication.
Can you explain this vulnerability to me?
This vulnerability affects mutt versions before 2.3.2, where the software sometimes truncates the hash_passwd by one byte during the IMAP auth_cram MD5 digest process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to the truncation of the hash_passwd by one byte in Mutt's IMAP auth_cram MD5 digest before version 2.3.2. Detection would involve identifying if your system is running a vulnerable version of Mutt and if CRAM-MD5 authentication is in use.
You can check the installed Mutt version with the following command:
- mutt -v
To detect if CRAM-MD5 authentication is being used on your IMAP connections, you might monitor network traffic for the AUTH=CRAM-MD5 mechanism in IMAP sessions. For example, using tcpdump or Wireshark to filter IMAP authentication exchanges.
- sudo tcpdump -i any -A port 143 or port 993 | grep CRAM-MD5
However, since this vulnerability is specific to Mutt's internal handling of the MD5 digest, direct detection of the truncation via commands is not straightforward.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Mutt to version 2.3.2 or later, where the vulnerability has been fixed by replacing the unsafe strfcpy() call with memcpy() to correctly handle the full MD5 digest.
If upgrading immediately is not possible, consider disabling CRAM-MD5 authentication in your IMAP configuration or avoid using CRAM-MD5 with Mutt until the update is applied.
Additionally, monitor and restrict access to IMAP services to trusted users and networks to reduce exposure.