Description
Mumble before 1.6.870 is prone to an out-of-bounds array access, which may result in denial of service (client crash).
Published: 2026-03-16
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (client crash)
Action: Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds array access that may cause the client to terminate. The crash results in denial of service, disrupting the end‑user's ability to communicate. This weakness is classified as CWE‑125 and does not provide code execution or privileged escalation. The impact is confined to the local machine where the Mumble client runs.

Affected Systems

The affected product is the Mumble audio‑chat client from the Mumble project. All releases before 1.6.870 contain the bug. Users on Windows, macOS, Linux, or other supported platforms running any pre‑1.6.870 build are at risk. The vulnerability is vendor and product specific and is mitigated by acquiring a later version.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, and the EPSS of less than 1 % shows a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. Attacking this flaw would require that a malicious packet be processed by the client, likely from a remote server or a local user providing malformed data; these inferences are based on the nature of an out‑of‑bounds access and are not directly stated in the CVE description.

Generated by OpenCVE AI on April 2, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mumble 1.6.870 or later.

Generated by OpenCVE AI on April 2, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Mumble Client Crash due to Out-of-Bounds Array Access in Versions Prior to 1.6.870

Thu, 02 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mumble:mumble:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Mumble Client Crash due to Out-of-Bounds Array Access in Versions Prior to 1.6.870

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mumble
Mumble mumble
Vendors & Products Mumble
Mumble mumble

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description Mumble before 1.6.870 is prone to an out-of-bounds array access, which may result in denial of service (client crash).
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mumble Mumble
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-16T14:40:37.627Z

Reserved: 2026-03-16T06:13:50.762Z

Link: CVE-2025-71264

cve-icon Vulnrichment

Updated: 2026-03-16T14:37:12.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:02.610

Modified: 2026-04-02T14:48:52.760

Link: CVE-2025-71264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:37Z

Weaknesses