Description
mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c.
Published: 2026-05-04
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability manifests as an infinite loop triggered during GPG data handling in mutt before 2.3.2. The flaw involves incorrect input validation (CWE-253), which creates the infinite loop (CWE-835). When the loop engages, the mail client consumes CPU cycles indefinitely, rendering it unresponsive and blocking further email operations. This creates a denial‑of‑service condition that can affect a single user or an entire host running the software, depending on the deployment environment.

Affected Systems

Installations of the mutt email client with any version earlier than 2.3.2 are impacted. The flaw is confined to the crypt-gpgme.c component, which processes gpgme data objects. Only the mutt product is affected; no other vendor or product is listed.

Risk and Exploitability

The CVSS score of 3.7 indicates medium severity. The EPSS score is < 1% (0.00033), indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The attack likely requires an attacker to provide a specially crafted email or data object that invokes data_object_to_stream, pointing to a local or remote vector via email processing. Since the flaw is an input handling error, exploitation depends on supplying the triggering content; otherwise the client remains unaffected.

Generated by OpenCVE AI on May 7, 2026 at 16:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to mutt version 2.3.2 or later to eliminate the infinite loop logic error.
  • If an immediate patch is unavailable, disable automatic GPG decryption of incoming messages or manually skip decryption for potentially malicious emails until a fix is applied.
  • Use resource limiting mechanisms such as cgroups or CPU quotas on the mutt process to cap CPU usage and contain the effect of the loop in case it is triggered.

Generated by OpenCVE AI on May 7, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Infinite loop in Mutt crypt-gpgme.c causes denial of service mutt: Mutt: Remote Denial of Service via crafted input
Weaknesses CWE-835
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Infinite loop in Mutt crypt-gpgme.c causes denial of service

Mon, 04 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c.
First Time appeared Mutt
Mutt mutt
Weaknesses CWE-253
CPEs cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*
Vendors & Products Mutt
Mutt mutt
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Mutt Mutt
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T18:25:49.692Z

Reserved: 2026-05-04T06:05:52.765Z

Link: CVE-2026-43863

cve-icon Vulnrichment

Updated: 2026-05-04T13:47:33.404Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T07:16:01.033

Modified: 2026-05-05T19:44:42.893

Link: CVE-2026-43863

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-04T06:05:53Z

Links: CVE-2026-43863 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T16:15:09Z

Weaknesses