CVE-2021-3181

MEDIUM

Mutt < 2.0.4 - Memory Leak

Title source: rule
STIX 2.1

Description

rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.

References (11)

Core 11
Core References
Third Party Advisory x_refsource_misc
https://gitlab.com/muttmua/mutt/-/issues/323
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/01/19/10
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/01/msg00017.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202101-25
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4838
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/01/27/3

Scores

CVSS v3 6.5
EPSS 0.0300
EPSS Percentile 86.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-401
Status published
Products (5)
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 32
fedoraproject/fedora 33
mutt/mutt < 2.0.4
Published Jan 19, 2021
Tracked Since Feb 18, 2026