CVE-2026-43859 Overview
CVE-2026-43859 affects the mutt email client in versions before 2.3.2. The vulnerability stems from incorrect string handling in the IMAP CRAM-MD5 authentication routine. Specifically, mutt sometimes uses strfcpy instead of memcpy when copying the MD5 digest of a long shared secret in imap/auth_cram.c.
Because strfcpy treats the source as a null-terminated string, any null byte (0x00) inside the binary MD5 digest causes premature truncation. This weakens the authentication digest entropy and maps to [CWE-158] (Improper Neutralization of Null Byte or NUL Character).
Critical Impact
An attacker positioned to observe IMAP authentication exchanges may exploit reduced digest entropy to compromise integrity of the CRAM-MD5 challenge-response when secrets longer than the MD5 block length are used.
Affected Products
- mutt versions prior to 2.3.2
- IMAP auth_cram MD5 authentication code path in imap/auth_cram.c
- Deployments using IMAP CRAM-MD5 authentication with shared secrets longer than MD5_BLOCK_LEN
Discovery Timeline
- 2026-05-04 - CVE-2026-43859 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-43859
Vulnerability Analysis
The defect resides in the IMAP CRAM-MD5 authentication implementation in imap/auth_cram.c. When the configured shared secret exceeds MD5_BLOCK_LEN (64 bytes), mutt first hashes the secret with md5_buffer() and stores the resulting 16-byte binary digest in hash_passwd. The code then copies that digest into the secret buffer used for the HMAC-style inner/outer pad computation.
The flawed implementation calls strfcpy(), a string-copy helper that stops at the first null byte. Binary MD5 output frequently contains embedded 0x00 bytes. When that occurs, the copied secret is truncated at the first null byte, and the remaining bytes of the secret buffer retain prior or zeroed contents.
The result is reduced effective key entropy in the CRAM-MD5 challenge response. Practical exploitation requires network-adjacent positioning and conditions that lower attack complexity, which is reflected in the low-impact integrity scoring.
Root Cause
The root cause is the misuse of a null-terminated string copy primitive on binary cryptographic data. strfcpy() is appropriate for C strings but unsafe for fixed-length binary buffers such as MD5 digests. The fix replaces it with memcpy(), which copies a specified number of bytes regardless of content.
Attack Vector
The attack vector is network-based and requires high attack complexity. An adversary must observe or interact with IMAP CRAM-MD5 authentication where the configured secret is longer than 64 bytes. The integrity of the digest is the primary asset affected; confidentiality and availability are not impacted per the CVSS vector.
// Patch from imap/auth_cram.c (mutt commit 834c5a2)
if (secret_len > MD5_BLOCK_LEN)
{
md5_buffer (password, secret_len, hash_passwd);
- strfcpy ((char*) secret, (char*) hash_passwd, MD5_DIGEST_LEN);
+ memcpy(secret, hash_passwd, MD5_DIGEST_LEN);
secret_len = MD5_DIGEST_LEN;
}
else
// Source: https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805
The patch swaps strfcpy for memcpy, ensuring all 16 bytes of the binary MD5 digest are copied into secret regardless of any embedded null bytes.
Detection Methods for CVE-2026-43859
Indicators of Compromise
- IMAP client connections originating from hosts running mutt versions earlier than 2.3.2 against authentication-sensitive mail servers.
- Repeated CRAM-MD5 authentication failures from mutt clients, which can indicate digest truncation when long shared secrets are configured.
- Presence of unpatched mutt binaries with the vulnerable auth_cram.c code path on workstations and shared servers.
Detection Strategies
- Inventory installed mutt packages across managed Linux and macOS hosts and flag versions below 2.3.2.
- Audit IMAP server logs for CRAM-MD5 authentication patterns from clients identifying as mutt in user-agent or connection metadata.
- Use software composition analysis to detect builds of mutt derived from the muttmua/mutt source tree prior to commit 834c5a2.
Monitoring Recommendations
- Monitor outbound IMAP traffic to non-corporate mail providers from endpoints running command-line mail clients.
- Alert on authentication anomalies on mail servers that support CRAM-MD5, including repeated failures correlated with specific source hosts.
- Track package management events (apt, dnf, brew, pkg) installing or upgrading mutt to confirm patched versions are deployed.
How to Mitigate CVE-2026-43859
Immediate Actions Required
- Upgrade mutt to version 2.3.2 or later on all affected systems.
- Where upgrade is not immediate, prefer IMAP authentication mechanisms other than CRAM-MD5, such as SASL PLAIN over TLS or OAuth2 where supported.
- Rotate any IMAP credentials longer than 64 bytes that have been used with vulnerable mutt builds.
Patch Information
The upstream fix is available in the muttmua/mutt commit 834c5a2, which replaces the strfcpy call with memcpy in imap/auth_cram.c. Distributors should rebuild mutt against the patched source and ship it as a security update. Versions 2.3.2 and later contain the fix.
Workarounds
- Configure mutt to use shared IMAP secrets shorter than MD5_BLOCK_LEN (64 bytes), which avoids the vulnerable code branch entirely.
- Disable CRAM-MD5 in mutt configuration and require TLS-protected PLAIN or LOGIN authentication on the server side.
- Restrict outbound IMAP traffic from endpoints to known, trusted mail servers using TLS to reduce exposure to passive observers.
# Verify installed mutt version is patched
mutt -v | head -n 1
# Debian / Ubuntu
sudo apt update && sudo apt install --only-upgrade mutt
# Fedora / RHEL
sudo dnf upgrade mutt
# Optional: prefer non-CRAM-MD5 auth in ~/.muttrc
# set imap_authenticators="oauthbearer:plain"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
