CVE-2021-32055Out-of-bounds Read in Mutt

CWE-125Out-of-bounds ReadCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer11 documents8 sources
Severity
9.1CRITICALNVD
OSV9.8
EPSS
0.4%
top 41.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MuttNeomutt
Timeline
PublishedMay 5
Latest updateJan 15

Description

Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. NOTE: the $imap_qresync setting for QRESYNC is not enabled by default.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

Debianneomutt/neomutt< 20201127+dfsg.1-1.2+3
Ubuntuneomutt/neomutt< 20171215+dfsg.1-1ubuntu0.1~esm1+3
NVDneomutt/neomutt2019102520210504
NVDmutt/mutt1.11.02.0.7
Debianmutt/mutt< 2.0.5-4.1+3

Patches

Patch: github.comPatch: gitlab.comPatch: github.com

🔴Vulnerability Details

5
OSV
neomutt vulnerabilities2025-01-15
GHSA
GHSA-vchg-jq4g-j9q7: Mutt 12022-05-24
OSV
mutt vulnerabilities2022-04-28
CVEList
CVE-2021-32055: Mutt 12021-05-05
OSV
CVE-2021-32055: Mutt 12021-05-05

📋Vendor Advisories

5
Ubuntu
NeoMutt vulnerabilities2025-01-15
Ubuntu
Mutt vulnerabilities2022-04-28
Microsoft
Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set end2021-05-11
Red Hat
neomutt: Out of bounds read in IMAP parser2021-05-05
Debian
CVE-2021-32055: mutt - Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-0...2021