Description
mutt before 2.3.2 does not check for '\0' in url_pct_decode.
Published: 2026-05-04
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mutt before 2.3.2 does not perform a null terminator check in the url_pct_decode function, which can cause the program to read beyond intended buffer boundaries when encountering a URL with an embedded null character. The resulting undefined behavior may lead to a program crash, effectively denying the service to legitimate users. This weakness is categorized as CWE-158.

Affected Systems

The vulnerability affects the mutt mail user agent for all releases prior to version 2.3.2. No other vendors or product variants are mentioned in the available data.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that exploit activity is either not widespread or not officially documented. The likely attack vector is local or remote via email content that contains a malicious URL; an attacker could craft a message that triggers the buggy decoding path, leading to a crash. Exploitation requires the vulnerable version of mutt to process the crafted URL, which is feasible in environments where mutt is the default mail client or is invoked by a mail handling script.

Generated by OpenCVE AI on May 4, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to mutt version 2.3.2 or newer, which includes the null‑termination check in url_pct_decode.
  • If an upgrade is not immediately possible, avoid processing URLs through url_pct_decode for untrusted input, limiting the function to trusted or sanitized data only.
  • Validate that all URLs passed to mutt contain a terminating null character before decoding, enforcing proper string termination to prevent out‑of‑bounds reads.

Generated by OpenCVE AI on May 4, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Null-Termination Check Missing in URL Decoding of mutt

Mon, 04 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description mutt before 2.3.2 does not check for '\0' in url_pct_decode.
First Time appeared Mutt
Mutt mutt
Weaknesses CWE-158
CPEs cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*
Vendors & Products Mutt
Mutt mutt
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Mutt Mutt
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T18:20:52.988Z

Reserved: 2026-05-04T05:52:59.155Z

Link: CVE-2026-43861

cve-icon Vulnrichment

Updated: 2026-05-04T12:45:13.943Z

cve-icon NVD

Status : Received

Published: 2026-05-04T07:16:00.730

Modified: 2026-05-04T07:16:00.730

Link: CVE-2026-43861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T07:30:40Z

Weaknesses