Back

Multiple Vulnerabilities in Mutt Affecting SUSE and openSUSE Users

Severity: Medium (Score: 45.9)

Sources: Linuxsecurity

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: mutt, update, fixes, following, issues, cve-2026-43859, strfcpy

Severity indicators: vulnerability, issue, rat, CVE:CVE-2026-43859

Summary

SUSE and openSUSE have released security updates for the Mutt email client addressing multiple vulnerabilities. The updates fix issues including a NULL pointer dereference, an infinite loop, and improper handling of IMAP authentication. Key vulnerabilities include CVE-2026-43859 through CVE-2026-43864, all published on 2026-05-04. These vulnerabilities could potentially lead to denial of service or unauthorized access if exploited. Users are advised to apply the patches using recommended installation methods like YaST or zypper. The updates were released on 2026-06-08, and both advisories emphasize the importance of immediate patching. The vulnerabilities have been rated as moderate in severity. Key Points: • SUSE and openSUSE released patches for Mutt addressing multiple vulnerabilities. • Key CVEs include CVE-2026-43859 to CVE-2026-43864, all published on 2026-05-04. • Users are urged to apply patches immediately to mitigate potential risks.

Detailed Analysis

**Impact** Users of Mutt email clients on SUSE and openSUSE Linux distributions are affected by multiple moderate-severity vulnerabilities. The issues could lead to denial of service, information disclosure, or potential privilege escalation within affected systems. No specific sectors, geographies, or data breach details are provided in the source articles. **Technical Details** The vulnerabilities include improper use of `strfcpy` instead of `memcpy` (CVE-2026-43859), truncation of `hash_passwd` (CVE-2026-43860), missing null byte checks in URL decoding (CVE-2026-43861), mishandling of IMAP GSSAPI authentication (CVE-2026-43862), an infinite loop in GPGME cryptographic stream handling (CVE-2026-43863), and a NULL pointer dereference in signature summary display (CVE-2026-43864). Attack vectors involve network exposure via IMAP authentication and local processing of cryptographic data. No malware, tools, or infrastructure details are mentioned. The vulnerabilities affect confidentiality, integrity, and availability at various stages of the kill chain. **Recommended Response** Apply the SUSE and openSUSE security updates for Mutt immediately using YaST online_update or `zypper patch` to remediate all listed CVEs. Monitor for abnormal IMAP authentication failures or application crashes related to Mutt processes. Harden configurations involving IMAP authentication and cryptographic modules where possible. No additional IOCs or detection rules are provided in the articles.

Source articles (2)

  • openSUSE Mutt Important Security Patch for 2026-2301 — Linuxsecurity · 2026-06-09
    ## This update for mutt fixes the following issues * CVE-2026-43859: `strfcpy` used instead of `memcpy` for the IMAP `auth_cram` MD5 digest (bsc#1263897). * CVE-2026-43860: truncation of `hash_passwd`…
  • SUSE Mutt Moderate Loop NULL Pointer Fix Vulnerability 2026-2300 — Linuxsecurity · 2026-06-09
    ## This update for mutt fixes the following issues * CVE-2026-43859: `strfcpy` used instead of `memcpy` for the IMAP `auth_cram` MD5 digest (bsc#1263897). * CVE-2026-43860: truncation of `hash_passwd`…

Timeline

  • 2026-05-04 — Multiple CVEs published for Mutt: CVE-2026-43859 to CVE-2026-43864 were published, detailing various vulnerabilities in the Mutt email client.
  • 2026-05-04 — CVE-2026-43862 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-04 — CVE-2026-43859 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-04 — CVE-2026-43863 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-04 — CVE-2026-43861 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-04 — CVE-2026-43864 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-04 — CVE-2026-43860 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-08 — SUSE releases security updates for Mutt: SUSE issued updates addressing multiple vulnerabilities in Mutt, urging users to apply patches immediately.
  • 2026-06-08 — openSUSE releases security updates for Mutt: openSUSE also issued updates for Mutt, fixing the same vulnerabilities as SUSE, with a focus on immediate patching.

CVEs

  • CVE-2026-43859
  • CVE-2026-43860
  • CVE-2026-43861
  • CVE-2026-43862
  • CVE-2026-43863
  • CVE-2026-43864

Related entities

  • SuSE (Company)
  • OpenSUSE (Company)
  • Cwe-476 - NULL Pointer Dereference (Cwe)
  • Linux (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed