#VU53619 Out-of-bounds read in Mutt - CVE-2021-32055

Cybersecurity Help s.r.o.

Published: 2021-05-27

Vulnerability identifier: #VU53619

Vulnerability risk: Low

CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-32055

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mutt
Client/Desktop applications / Office applications

Vendor: Mutt.org

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in imap/util.c in Mutt when processing IMAP sequence, which ends with a comma. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mutt: 1.11 - 2.0.6

External links
https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5
https://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20210503/000036.html
https://github.com/neomutt/neomutt/commit/fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc
https://security.gentoo.org/glsa/202105-05

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for mutt

Gentoo update for Mutt, NeoMutt

Out-of-bounds read in Mutt