Primary

Context

Mutt CRAM-MD5 Authentication Digest Handling Vulnerability

Vulnerability

Patched

A vulnerability exists in Mutt versions prior to 2.3.2 in the way the IMAP CRAM-MD5 authentication digest is processed. The issue arises because the application sometimes uses strfcpy instead of memcpy, leading to potential truncation of the password hash. This flaw occurs in the auth_cram module when the password length exceeds the MD5 block size, causing the digest to be incorrectly handled. The vulnerability has been acknowledged but is not widely reported, likely due to the declining use of CRAM-MD5 and the rarity of passwords longer than 64 bytes.

Impact

Exploitation of this vulnerability could lead to incorrect handling of authentication digests, potentially allowing for authentication bypass or related issues.

Remediation

Users can upgrade to Mutt version 2.3.2 or later, where this vulnerability has been addressed.

Added: May 4, 2026, 7:35 AM

Updated: May 4, 2026, 7:35 AM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

5.1

remediation

7.7

relevance

7.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

5.1

remediation

7.7

relevance

7.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mutt CRAM-MD5 Authentication Digest Handling Vulnerability

Vulnerability

Impact

Remediation

Affected Products

mutt

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating