CVE-2026-43861
Heap-based Buffer Overflow in Mutt Email Client
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| muttmua | mutt | to 2.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-158 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability is limited, as indicated by the CVSS base score of 3.7.
It does not affect confidentiality or availability, but it can lead to a low impact on integrity, potentially allowing malformed URLs to be processed incorrectly.
Can you explain this vulnerability to me?
This vulnerability exists in the mutt email client versions before 2.3.2, where the function url_pct_decode does not check for embedded null characters ('\0') in URLs.
Specifically, the function fails to consider the URL-encoded null byte (%00) as an invalid character, which can lead to improper handling of URLs.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the presence of embedded null characters (%00) in URLs processed by the mutt email client before version 2.3.2. Detection would involve identifying URLs containing the URL-encoded null byte (%00) in email traffic or configuration files used by mutt.
You can search for such patterns in email files or logs using commands like:
- grep -r '%00' /path/to/email/files
- tcpdump -A -s 0 'tcp port 25' | grep '%00'
- Alternatively, review mutt configuration or scripts that handle URLs for the presence of %00 sequences.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the mutt email client to version 2.3.2 or later, where the url_pct_decode() function has been patched to reject URLs containing the %00 (null byte) character.
Until the upgrade is applied, avoid processing or opening emails containing suspicious URLs with embedded null characters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.