CVE-2021-3181

MEDIUM
Published Jan 19, 20215y ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jan 19, 2021 5y ago
Last Modified Jun 17, 2026 2w ago

Description

rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 5

VendorProductVersionRange
muttmutt* ≤2.0.4
debiandebian_linux9.0any
debiandebian_linux10.0any
fedoraprojectfedora32any
fedoraprojectfedora33any

References 11

  • openwall.com http://www.openwall.com/lists/oss-security/2021/01/19/10
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/01/27/3
    Mailing ListThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/4a2becbdb4422aaffe3ce314991b9d670b7adf17
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/939b02b33ae29bc0d642570c1dcfd4b339037d19
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/d4305208955c5cdd9fe96dfa61e7c1e14e176a14
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/issues/323
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2021/01/msg00017.html
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DXGWXFO77HBCD3VYEIYHHYU33LYWWWNQ/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2OMLQKAOHPYQA4GI7ZUO6UKCPUHLYO7/
  • security.gentoo.org https://security.gentoo.org/glsa/202101-25
    Third Party Advisory
  • debian.org https://www.debian.org/security/2021/dsa-4838
    Third Party Advisory

Remediation

  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/4a2becbdb4422aaffe3ce314991b9d670b7adf17
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/939b02b33ae29bc0d642570c1dcfd4b339037d19
    PatchThird Party Advisory
  • gitlab.com https://gitlab.com/muttmua/mutt/-/commit/d4305208955c5cdd9fe96dfa61e7c1e14e176a14
    PatchThird Party Advisory