CVE-2026-43864 Overview
CVE-2026-43864 is a NULL pointer dereference vulnerability in the Mutt email client before version 2.3.2. The flaw resides in the show_sig_summary() function within crypt-gpgme.c, which handles GPGME signature summary display. When processing a signature whose associated key or subkey structure is missing, the function dereferences a NULL pointer, causing the client to crash. The vulnerability is tracked under CWE-476: NULL Pointer Dereference and requires local access plus user interaction to trigger.
Critical Impact
A crafted PGP-signed message can crash Mutt when the recipient views or processes the signature, resulting in a localized denial of service.
Affected Products
- Mutt email client versions prior to 2.3.2
- Linux and Unix distributions packaging vulnerable Mutt builds
- Mail-handling environments using Mutt with GPGME signature verification
Discovery Timeline
- 2026-05-04 - CVE-2026-43864 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-43864
Vulnerability Analysis
The vulnerability exists in Mutt's GPGME integration code, specifically in the show_sig_summary() routine that renders signature status to the user. The function inspects key->subkeys->expires to determine when a signing key expires. If the key pointer or key->subkeys member is NULL, the dereference triggers a segmentation fault.
The condition arises when Mutt processes a signed message whose signature contains a valid summary flag (GPGME_SIGSUM_KEY_EXPIRED) but lacks an accompanying key structure. The original code assumed both pointers were always populated whenever the expiration summary bit was set. That assumption fails for malformed or partially populated signatures returned by GPGME.
The impact is limited to availability. The exploit cannot leak memory, escalate privileges, or execute code. The CWE-476 classification accurately reflects the bug class.
Root Cause
The root cause is missing NULL validation on the key and subkeys pointers before dereference. The fix introduces a guard expression that confirms both pointers are non-NULL before reading the expires field, defaulting the timestamp to zero otherwise.
Attack Vector
An attacker crafts or relays a PGP-signed message that produces a signature summary lacking a populated key structure. When a Mutt user opens the message, show_sig_summary() executes and crashes the client process. Exploitation requires the local user to interact with the message, matching the AV:L/UI:R attack profile.
// Patch from crypt-gpgme.c - show_sig_summary()
// Source: https://github.com/muttmua/mutt/commit/ebfa2969042d89303d15334193fcc32866c8a8df
if ((sum & GPGME_SIGSUM_KEY_EXPIRED))
{
- time_t at = key->subkeys->expires ? key->subkeys->expires : 0;
+ time_t at = (key && key->subkeys) ? key->subkeys->expires : 0;
if (at)
{
state_puts (_("Warning: The key used to create the "
The patch replaces the unchecked dereference with a conditional that validates both key and key->subkeys before accessing expires. Source: GitHub Commit ebfa2969.
Detection Methods for CVE-2026-43864
Indicators of Compromise
- Unexpected Mutt process crashes or segmentation faults logged in dmesg or journalctl while viewing signed mail
- Core dumps referencing show_sig_summary or crypt-gpgme.c in stack traces
- Mail folders containing PGP-signed messages with malformed or absent signing key data
Detection Strategies
- Inventory installed Mutt versions across endpoints and flag any build earlier than 2.3.2
- Correlate mail-client crash signals with recent message reads to identify suspect messages
- Inspect message stores for signed messages whose GPGME verification produces summary flags without key structures
Monitoring Recommendations
- Forward auditd and systemd-coredump events from mail-handling hosts to a centralized log platform
- Alert on repeated crashes of the mutt binary on the same host within short time windows
- Track package versions for mutt through configuration management to confirm patch deployment
How to Mitigate CVE-2026-43864
Immediate Actions Required
- Upgrade Mutt to version 2.3.2 or later on all affected systems
- Apply distribution-provided security updates that backport the show_sig_summary fix
- Restrict processing of untrusted signed messages until patches are installed
Patch Information
The upstream fix is available in the muttmua/mutt repository as commit ebfa2969042d89303d15334193fcc32866c8a8df. The change adds NULL checks for key and key->subkeys before dereferencing expires. Refer to the upstream commit for the full diff and integrate the patched build through the standard package channel.
Workarounds
- Disable automatic GPGME signature verification in muttrc by setting crypt_verify_sig = no until patched
- Avoid opening signed messages from untrusted senders on unpatched clients
- Run Mutt under a restricted account to contain crash impact on shared systems
# Temporary muttrc workaround until upgrading to 2.3.2
set crypt_verify_sig = no
# Verify installed version after patching
mutt -v | head -n 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
