CVE-2021-3181 — Missing Release of Memory after Effective Lifetime in Mutt

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

3.0%

top 13.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mutt Debian Mutt Debian Linux +1 more

Timeline

PublishedJan 19

Latest updateMay 24

Description

rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/mutt< mutt 2.0.5-1 (bookworm)

▶Debianmutt/mutt< 2.0.5-1+3

▶NVDmutt/mutt2.0.4

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-prp6-7gc9-4jmw: rfc822↗2022-05-24

▶

OSV

CVE-2021-3181: rfc822↗2021-01-19

▶

📋Vendor Advisories

Ubuntu

Mutt vulnerability↗2021-01-25

▶

Red Hat

mutt: Memory leak when parsing rfc822 group addresses↗2021-01-19

▶

Debian

CVE-2021-3181: mutt - rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of serv...↗2021

▶