CVE-2026-43862 Overview
CVE-2026-43862 affects Mutt, the text-based email client widely used on Unix-like systems. The vulnerability resides in the imap_auth_gss() function within imap/auth_gss.c, where the security level handling during Generic Security Services Application Program Interface (GSSAPI) authentication to Internet Message Access Protocol (IMAP) servers is mishandled. The flaw is classified as a type confusion issue [CWE-843] caused by an incorrect type used for the buf_size variable. Affected versions include all releases of Mutt prior to 2.3.2.
Critical Impact
A network-positioned attacker can exploit the type confusion in GSSAPI authentication handling to compromise the integrity of IMAP authentication exchanges in Mutt versions before 2.3.2.
Affected Products
- Mutt email client versions prior to 2.3.2
- Distributions packaging vulnerable Mutt builds with IMAP/GSSAPI support
- The muttmua/mutt upstream source tree before commit f547a849
Discovery Timeline
- 2026-05-04 - CVE-2026-43862 published to the National Vulnerability Database (NVD)
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-43862
Vulnerability Analysis
The vulnerability stems from improper handling of the GSSAPI security level negotiation in Mutt's IMAP authentication routine. The imap_auth_gss() function declared buf_size as unsigned long, but the GSSAPI protocol specifies a 32-bit value for the security level and maximum message size buffer. On platforms where unsigned long is 64 bits, the size check operates on incorrectly typed data. This represents a type confusion condition [CWE-843].
The mishandled security level can affect the integrity of the authenticated IMAP session. The attack requires high complexity and network-adjacent positioning, such as control of the IMAP server endpoint or a man-in-the-middle posture during connection setup.
Root Cause
The root cause is the use of an architecture-dependent integer type (unsigned long) instead of the protocol-defined fixed-width type (uint32_t) when parsing the GSSAPI security layer response. The size validation logic therefore fails to enforce the intended bounds across the four GSSAPI security level bits, leading to inconsistent enforcement of the negotiated protection level.
Attack Vector
Exploitation requires an attacker to interact with the Mutt client during IMAP GSSAPI authentication. A malicious or compromised IMAP server can return a crafted security level response. Because the buffer size type is mishandled, the security level enforcement may be bypassed for the resulting session, weakening the integrity of subsequent authenticated traffic.
int cflags;
OM_uint32 maj_stat, min_stat;
BUFFER *buf1 = NULL, *buf2 = NULL;
- unsigned long buf_size;
+ uint32_t buf_size;
int rc, retval = IMAP_AUTH_FAILURE;
if (!mutt_bit_isset (idata->capabilities, AGSSAPI))
Source: GitHub Mutt Commit f547a849 — the patch corrects the buf_size declaration from unsigned long to uint32_t, aligning the variable with the GSSAPI specification.
Detection Methods for CVE-2026-43862
Indicators of Compromise
- Outbound IMAP connections from user workstations to untrusted or unexpected IMAP servers using GSSAPI authentication.
- Mutt binary versions reporting a release earlier than 2.3.2 in installed package metadata.
- Anomalous Kerberos service ticket requests for imap/ service principals from hosts running Mutt.
Detection Strategies
- Inventory installed Mutt versions across Linux and Unix endpoints and flag any version below 2.3.2.
- Monitor IMAP traffic for GSSAPI security layer negotiations terminating against non-corporate mail servers.
- Correlate process execution of mutt with outbound TCP/143 or TCP/993 traffic to external destinations.
Monitoring Recommendations
- Capture endpoint telemetry for Mutt process launches and the IMAP servers contacted during each session.
- Alert on Kerberos authentication failures or downgrades involving the IMAP service principal.
- Track package management events that install or update Mutt to confirm patched versions are deployed.
How to Mitigate CVE-2026-43862
Immediate Actions Required
- Upgrade Mutt to version 2.3.2 or later on all systems where it is installed.
- Apply distribution-provided security updates that include the upstream commit f547a849.
- Restrict Mutt clients to authenticated IMAP servers under organizational control.
Patch Information
The upstream fix is published in the muttmua/mutt repository as commit f547a849cdacb512800a5f477c27de217e1c8151. The patch redefines buf_size in imap/auth_gss.c from unsigned long to uint32_t, ensuring the GSSAPI security level size check uses the correct fixed-width type. Linux distribution maintainers have backported this change to packaged Mutt builds; consult vendor advisories for distribution-specific package versions.
Workarounds
- Disable GSSAPI authentication in Mutt and use an alternative IMAP authentication mechanism such as TLS client certificates or SASL PLAIN over TLS.
- Configure Mutt to connect only to trusted IMAP servers using imap_authenticators restrictions.
- Route Mutt IMAP traffic through a corporate VPN or mail gateway to limit exposure to untrusted networks.
# Configuration example: disable GSSAPI in ~/.muttrc until patched
set imap_authenticators="login:plain"
set ssl_force_tls=yes
set ssl_starttls=yes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
