Security update for mutt
This update for mutt fixes the following issues - CVE-2026-43859: `strfcpy` used instead of `memcpy` for the IMAP `auth_cram` MD5 digest (bsc#1263897). - CVE-2026-43860: truncation of `hash_passwd` by one byte for IMAP `auth_cram` MD5 digest (bsc#1263896). - CVE-2026-43861: missing check for `\0` in `url_pct_decode` (bsc#1263895). - CVE-2026-43862: mishandling of the `imap_auth_gss` security level (bsc#1263894). - CVE-2026-43863: infinite loop in `data_object_to_stream` in `crypt-gpgme.c` (bsc#1263893). - CVE-2026-43864: NULL pointer dereference in function `show_sig_summary` (bsc#1263892).
AI Analysis
Technical Summary
This update for mutt fixes six vulnerabilities: CVE-2026-43859 involves using strfcpy instead of memcpy for the IMAP auth_cram MD5 digest, potentially causing incorrect memory handling. CVE-2026-43860 addresses a one-byte truncation of hash_passwd in the same authentication context. CVE-2026-43861 fixes a missing null character check in url_pct_decode, which could lead to improper URL decoding. CVE-2026-43862 corrects mishandling of the imap_auth_gss security level. CVE-2026-43863 resolves an infinite loop in data_object_to_stream within crypt-gpgme.c. CVE-2026-43864 patches a NULL pointer dereference in show_sig_summary. These vulnerabilities affect mutt version 2.2.14-150600.3.6.1 on SUSE Linux for aarch64 and i586 architectures. The fixes are provided by the SUSE Product Security Team.
Potential Impact
The vulnerabilities impact the security and stability of mutt's IMAP authentication and cryptographic processing. Issues such as improper memory copying, truncation, missing null checks, and NULL pointer dereferences can lead to potential crashes, denial of service, or incorrect authentication behavior. The infinite loop could cause resource exhaustion. However, no known exploits in the wild have been reported for these issues.
Mitigation Recommendations
A security update has been released by the SUSE Product Security Team addressing all six vulnerabilities. Users should apply the official patches provided in the mutt package version 2.2.14-150600.3.6.1 for their respective SUSE Linux distributions on aarch64 and i586 architectures. Patch status is confirmed by the vendor advisory SUSE-SU-2026:2301-1. No additional mitigation steps are indicated beyond applying this update.
Security update for mutt
Description
This update for mutt fixes the following issues - CVE-2026-43859: `strfcpy` used instead of `memcpy` for the IMAP `auth_cram` MD5 digest (bsc#1263897). - CVE-2026-43860: truncation of `hash_passwd` by one byte for IMAP `auth_cram` MD5 digest (bsc#1263896). - CVE-2026-43861: missing check for `\0` in `url_pct_decode` (bsc#1263895). - CVE-2026-43862: mishandling of the `imap_auth_gss` security level (bsc#1263894). - CVE-2026-43863: infinite loop in `data_object_to_stream` in `crypt-gpgme.c` (bsc#1263893). - CVE-2026-43864: NULL pointer dereference in function `show_sig_summary` (bsc#1263892).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This update for mutt fixes six vulnerabilities: CVE-2026-43859 involves using strfcpy instead of memcpy for the IMAP auth_cram MD5 digest, potentially causing incorrect memory handling. CVE-2026-43860 addresses a one-byte truncation of hash_passwd in the same authentication context. CVE-2026-43861 fixes a missing null character check in url_pct_decode, which could lead to improper URL decoding. CVE-2026-43862 corrects mishandling of the imap_auth_gss security level. CVE-2026-43863 resolves an infinite loop in data_object_to_stream within crypt-gpgme.c. CVE-2026-43864 patches a NULL pointer dereference in show_sig_summary. These vulnerabilities affect mutt version 2.2.14-150600.3.6.1 on SUSE Linux for aarch64 and i586 architectures. The fixes are provided by the SUSE Product Security Team.
Potential Impact
The vulnerabilities impact the security and stability of mutt's IMAP authentication and cryptographic processing. Issues such as improper memory copying, truncation, missing null checks, and NULL pointer dereferences can lead to potential crashes, denial of service, or incorrect authentication behavior. The infinite loop could cause resource exhaustion. However, no known exploits in the wild have been reported for these issues.
Mitigation Recommendations
A security update has been released by the SUSE Product Security Team addressing all six vulnerabilities. Users should apply the official patches provided in the mutt package version 2.2.14-150600.3.6.1 for their respective SUSE Linux distributions on aarch64 and i586 architectures. Patch status is confirmed by the vendor advisory SUSE-SU-2026:2301-1. No additional mitigation steps are indicated beyond applying this update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- SUSE Product Security Team
- Advisory Id
- SUSE-SU-2026:2301-1
- Cve Count
- 6
- Additional Cves
- ["CVE-2026-43860","CVE-2026-43861","CVE-2026-43862","CVE-2026-43863","CVE-2026-43864"]
- Cvss Version
- null
Threat ID: 6a27e9a88dd33fbd8516f1cb
Added to database: 6/9/2026, 10:23:36 AM
Last enriched: 6/9/2026, 10:51:43 AM
Last updated: 6/10/2026, 5:05:19 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.