Description
Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
Published: 2026-05-04
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer over-read can occur when Postfix processes an enhanced status code that contains only two numeric components and omits the required textual component after the third number. The over-read leads to an application crash, which denies the mail transfer agent from accepting or routing further messages. The weakness corresponds to CWE‑193, a sign extension or integer conversion error, and does not provide remote code execution or data disclosure capabilities.

Affected Systems

Postfix versions prior to 3.8.16, 3.9.10, and 3.10.9 are affected. These include the main distribution packages for all supported operating systems where the older Postfix releases are installed.

Risk and Exploitability

The CVSS score of 3.7 marks this vulnerability as low to moderate risk. EPSS is not available, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote; a malicious actor can trigger the crash by sending a specially crafted SMTP message containing an enhanced status code lacking the third textual component. The vulnerability could be exploited by anyone with the ability to inject such a message into the server’s processing queue, potentially leading to service interruption for affected mail systems.

Generated by OpenCVE AI on May 4, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Postfix to version 3.8.16 or later, 3.9.10 or later, or 3.10.9 or later
  • If an upgrade is not immediately feasible, restrict or filter inbound SMTP traffic to reject messages that contain malformed enhanced status codes or disable processing of such codes through a content filter
  • Monitor Postfix logs for crash indications and implement fail‑over or high‑availability measures to reduce downtime

Generated by OpenCVE AI on May 4, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Postfix Enhanced Status Code Buffer Over-read Crash

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
First Time appeared Postfix
Postfix postfix
Weaknesses CWE-193
CPEs cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*
Vendors & Products Postfix
Postfix postfix
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Postfix Postfix
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T22:21:13.917Z

Reserved: 2026-05-04T18:10:10.120Z

Link: CVE-2026-43964

cve-icon Vulnrichment

Updated: 2026-05-04T22:21:13.917Z

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:07.143

Modified: 2026-05-04T23:16:00.153

Link: CVE-2026-43964

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T23:30:10Z

Weaknesses