Security update for mutt
This update for mutt fixes the following issues - CVE-2026-43859: `strfcpy` used instead of `memcpy` for the IMAP `auth_cram` MD5 digest (bsc#1263897). - CVE-2026-43860: truncation of `hash_passwd` by one byte for IMAP `auth_cram` MD5 digest (bsc#1263896). - CVE-2026-43861: missing check for `\0` in `url_pct_decode` (bsc#1263895). - CVE-2026-43862: mishandling of the `imap_auth_gss` security level (bsc#1263894). - CVE-2026-43863: infinite loop in `data_object_to_stream` in `crypt-gpgme.c` (bsc#1263893). - CVE-2026-43864: NULL pointer dereference in function `show_sig_summary` (bsc#1263892).
AI Analysis
Technical Summary
This security update for mutt addresses six vulnerabilities: CVE-2026-43859 involves the use of strfcpy instead of memcpy for the IMAP auth_cram MD5 digest; CVE-2026-43860 concerns truncation of the hash_passwd by one byte in the same context; CVE-2026-43861 is a missing check for a null terminator in url_pct_decode; CVE-2026-43862 relates to mishandling of the imap_auth_gss security level; CVE-2026-43863 is an infinite loop in data_object_to_stream within crypt-gpgme.c; and CVE-2026-43864 is a NULL pointer dereference in show_sig_summary. These issues were fixed in the SUSE mutt package version 1.10.1-55.33.1 for aarch64 and i586 architectures.
Potential Impact
The vulnerabilities could lead to incorrect authentication processing, potential denial of service through infinite loops or crashes due to NULL pointer dereferences, and improper handling of security levels. These issues may affect the reliability and security of IMAP authentication and cryptographic operations in mutt, potentially impacting confidentiality and availability of the email client.
Mitigation Recommendations
A security update fixing these vulnerabilities has been released by the SUSE Product Security Team. Users should apply the updated mutt package version 1.10.1-55.33.1 for their respective architectures (aarch64, i586) to remediate these issues. No additional mitigation steps are indicated.
Security update for mutt
Description
This update for mutt fixes the following issues - CVE-2026-43859: `strfcpy` used instead of `memcpy` for the IMAP `auth_cram` MD5 digest (bsc#1263897). - CVE-2026-43860: truncation of `hash_passwd` by one byte for IMAP `auth_cram` MD5 digest (bsc#1263896). - CVE-2026-43861: missing check for `\0` in `url_pct_decode` (bsc#1263895). - CVE-2026-43862: mishandling of the `imap_auth_gss` security level (bsc#1263894). - CVE-2026-43863: infinite loop in `data_object_to_stream` in `crypt-gpgme.c` (bsc#1263893). - CVE-2026-43864: NULL pointer dereference in function `show_sig_summary` (bsc#1263892).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This security update for mutt addresses six vulnerabilities: CVE-2026-43859 involves the use of strfcpy instead of memcpy for the IMAP auth_cram MD5 digest; CVE-2026-43860 concerns truncation of the hash_passwd by one byte in the same context; CVE-2026-43861 is a missing check for a null terminator in url_pct_decode; CVE-2026-43862 relates to mishandling of the imap_auth_gss security level; CVE-2026-43863 is an infinite loop in data_object_to_stream within crypt-gpgme.c; and CVE-2026-43864 is a NULL pointer dereference in show_sig_summary. These issues were fixed in the SUSE mutt package version 1.10.1-55.33.1 for aarch64 and i586 architectures.
Potential Impact
The vulnerabilities could lead to incorrect authentication processing, potential denial of service through infinite loops or crashes due to NULL pointer dereferences, and improper handling of security levels. These issues may affect the reliability and security of IMAP authentication and cryptographic operations in mutt, potentially impacting confidentiality and availability of the email client.
Mitigation Recommendations
A security update fixing these vulnerabilities has been released by the SUSE Product Security Team. Users should apply the updated mutt package version 1.10.1-55.33.1 for their respective architectures (aarch64, i586) to remediate these issues. No additional mitigation steps are indicated.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- SUSE Product Security Team
- Advisory Id
- SUSE-SU-2026:2300-1
- Cve Count
- 6
- Additional Cves
- ["CVE-2026-43860","CVE-2026-43861","CVE-2026-43862","CVE-2026-43863","CVE-2026-43864"]
- Cvss Version
- null
Threat ID: 6a27e9a88dd33fbd8516f1de
Added to database: 6/9/2026, 10:23:36 AM
Last enriched: 6/9/2026, 10:51:51 AM
Last updated: 6/10/2026, 4:58:55 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.