CVE-2026-43861 Overview
CVE-2026-43861 affects the Mutt mail client in versions before 2.3.2. The vulnerability exists in the url_pct_decode() function within url.c, which fails to check for embedded null bytes (\0) during percent-decoding of URL-encoded input. An attacker can craft a URL containing a percent-encoded null byte (%00) that bypasses string boundary expectations during URL parsing.
The flaw maps to CWE-158: Improper Neutralization of Null Byte or NUL Character. Exploitation requires network-delivered crafted input but has high attack complexity. The integrity impact is limited and there is no direct confidentiality or availability impact.
Critical Impact
Crafted URLs containing percent-encoded null bytes can truncate or corrupt URL parsing in Mutt, resulting in limited integrity impact during mail processing operations.
Affected Products
- Mutt mail client versions prior to 2.3.2
- Distributions packaging vulnerable Mutt builds (verify package version)
- Tools and scripts depending on Mutt's URL handling routines
Discovery Timeline
- 2026-05-04 - CVE-2026-43861 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-43861
Vulnerability Analysis
The vulnerability resides in url_pct_decode() in url.c, the routine responsible for decoding percent-encoded sequences in URLs processed by Mutt. The function validates that two characters following a % are valid hexadecimal digits and then converts them into a single byte. It does not, however, reject the case where both hex digits encode the value zero. As a result, the sequence %00 is decoded into an embedded NUL character that is written into the destination buffer.
Downstream consumers in Mutt treat the decoded buffer as a C string and rely on the first NUL terminator as the end of the data. An attacker who supplies a URL containing %00 causes string operations to terminate prematurely. This produces a mismatch between the parsed URL and the bytes actually present after decoding.
The issue is classified under [CWE-158] (Improper Neutralization of Null Byte or NUL Character).
Root Cause
The root cause is missing input validation in url_pct_decode(). The decoder accepts any pair of valid hex digits without rejecting the explicit zero-byte encoding %00. Because Mutt processes the decoded result as a NUL-terminated string, an embedded NUL silently truncates subsequent processing logic.
Attack Vector
An attacker delivers a crafted URL through any vector Mutt parses, such as a mailto: link or URL embedded in a message. When url_pct_decode() processes the input, the embedded NUL byte alters how the URL is interpreted by parsers and validators reading from the decoded buffer. The flaw requires specific conditions in URL handling to produce a security-relevant outcome, which is reflected in the high attack complexity rating.
if (s[1] && s[2] &&
isxdigit ((unsigned char) s[1]) &&
isxdigit ((unsigned char) s[2]) &&
- hexval (s[1]) >= 0 && hexval (s[2]) >= 0)
+ hexval(s[1]) >= 0 && hexval(s[2]) >= 0 &&
+ // check for embedded nul
+ (hexval(s[1]) > 0 || hexval(s[2]) > 0))
{
*d++ = (hexval (s[1]) << 4) | (hexval (s[2]));
s += 2;
Source: Mutt commit 12f54fe3b61f761c096fe95e95d5e3072af00ed2. The patch adds an additional condition that rejects the decoded zero byte by requiring at least one of the two hex digits to be non-zero.
Detection Methods for CVE-2026-43861
Indicators of Compromise
- URL strings containing the encoded sequence %00 reaching Mutt or processes invoked by Mutt
- Mutt binary versions reporting a release earlier than 2.3.2
- Mail content with mailto: URIs containing embedded percent-encoded null bytes
Detection Strategies
- Inspect inbound mail and stored mailboxes for URLs containing the substring %00 in mailto:, imap:, pop:, smtp:, or HTTP links handled by Mutt.
- Audit installed package versions of Mutt across Linux endpoints and verify that all hosts run 2.3.2 or later.
- Review mail gateway logs for messages whose body or headers contain percent-encoded null sequences within URI fields.
Monitoring Recommendations
- Track Mutt version inventory through endpoint configuration data and flag systems running unpatched releases.
- Log invocations of helper applications launched by Mutt URL handlers and correlate with the originating URL strings.
- Capture file integrity events on user mail directories where crafted messages containing %00 URLs are written.
How to Mitigate CVE-2026-43861
Immediate Actions Required
- Upgrade Mutt to version 2.3.2 or later on all systems where the client is installed.
- Apply distribution security updates that backport the url_pct_decode() fix to packaged Mutt builds.
- Identify shared or multi-user hosts running Mutt and prioritize them for patching.
Patch Information
The upstream fix is committed as 12f54fe3b61f761c096fe95e95d5e3072af00ed2 in the Mutt repository. The patch adds a check in url_pct_decode() that rejects percent-encoded sequences decoding to a zero byte. Reference: Mutt url.c security commit.
Workarounds
- Filter inbound mail at the gateway to strip or quarantine messages containing %00 within URI fields when patching is delayed.
- Disable automatic URL handlers in Mutt configuration to prevent decoded URLs from being passed to external programs.
- Restrict Mutt usage to trusted mail sources until the upgrade is deployed.
# Verify installed Mutt version
mutt -v | head -n 1
# Debian/Ubuntu update
sudo apt-get update && sudo apt-get install --only-upgrade mutt
# RHEL/Fedora update
sudo dnf upgrade mutt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
