CVE-2026-43859

Description

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

mutt < 2.3.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import hashlib

# Simulate the vulnerable strfcpy behavior (simplified)
def vulnerable_strfcpy(dest, src, size):
    # strfcpy copies 'size-1' bytes and ensures null termination
    # It stops at the first null byte in src
    i = 0
    while i < size - 1 and i < len(src):
        if src[i] == 0: # Stop at null byte
            break
        dest[i] = src[i]
        i += 1
    dest[i] = 0 # Null terminate
    return dest

# Assume we have a dummy MD5 digest that contains a NULL byte at index 5
# Normal MD5 is 16 bytes.
# In a real attack, the attacker (controlling the server) forces a challenge
# that results in a specific digest from the client's known password.
md5_digest = bytes([1, 2, 3, 4, 5, 0, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16])

print(f"Original MD5 Digest (hex): {md5_digest.hex()}")

# Vulnerable Code Execution
buffer_size = 16
vuln_buffer = bytearray(buffer_size)
copied_data = vulnerable_strfcpy(vuln_buffer, md5_digest, buffer_size)

print(f"Vulnerable Copy (hex):    {copied_data.hex()}")
print("Note: Data truncated at the NULL byte (index 5). Authentication bypass possible if server accepts truncated hash.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43859
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43859
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43859/
[4] VulDB https://vuldb.com/cve/CVE-2026-43859
[5] https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43859", "sourceIdentifier": "[email protected]", "published": "2026-05-04T07:16:00.400", "lastModified": "2026-05-05T19:44:42.893", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-158"}]}], "references": [{"url": "https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805", "source": "[email protected]"}]}}