CVE-2026-43964

LOW

Postfix < 3.8.16, 3.9 < 3.9.10, 3.10 < 3.10.9 - Denial of Service via Enhanced Status Code Parsing

Title source: llm

Description

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/04/30

https://www.mail-archive.com/[email protected]/msg00110.html

Scores

CVSS v3 3.7

EPSS 0.0032

EPSS Percentile 23.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-193

Status published

Products (4)

postfix/postfix < 3.8.16

Postfix/Postfix 2.3 - 3.8.16

Postfix/Postfix 3.10 - 3.10.9

Postfix/Postfix 3.9 - 3.9.10

Published May 04, 2026

Tracked Since May 05, 2026