Primary

Context

Mutt Hash Truncation Vulnerability in IMAP CRAM-MD5 Authentication

Vulnerability

Patched

A vulnerability exists in Mutt versions prior to 2.3.2, where the hash password for IMAP authentication using CRAM-MD5 digest is sometimes truncated by one byte. This issue arises because Mutt incorrectly uses strfcpy() instead of memcpy() on the raw binary value of the MD5 digest, leading to improper handling of passwords containing a null byte. As a result, the authentication process may be compromised, particularly for passwords longer than 64 bytes.

Impact

Exploitation of this vulnerability can lead to incorrect handling of authentication hashes, potentially allowing for authentication bypass or manipulation in IMAP sessions that use CRAM-MD5.

Remediation

Users can upgrade to Mutt version 2.3.2 or later to address this vulnerability.

Added: May 4, 2026, 7:34 AM

Updated: May 4, 2026, 7:34 AM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

5.1

remediation

7.7

relevance

7.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

5.1

remediation

7.7

relevance

7.1

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mutt Hash Truncation Vulnerability in IMAP CRAM-MD5 Authentication

Vulnerability

Impact

Remediation

Affected Products

mutt

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating