Unrated severityNVD Advisory· Published Jul 17, 2018· Updated Aug 5, 2024

CVE-2018-14356

Description

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mutt and NeoMutt before fixed versions mishandle zero-length UIDs in POP3, potentially allowing denial of service or information disclosure.

Vulnerability

In Mutt before 1.10.1 and NeoMutt before 2018-07-16, the POP3 implementation in pop.c does not properly handle a zero-length UID (Unique IDentifier) received from the server during the fetch_uidl call. A malicious or compromised POP3 server can send a response line with an empty UID value, which the client processes without validation, leading to undefined behavior [1][2][4]. The fix explicitly checks for a zero-length UID and returns an error [4].

Exploitation

An attacker can exploit this vulnerability by controlling a POP3 server that the victim's Mutt or NeoMutt client connects to. The attacker sends a specially crafted UIDL response containing a zero-length UID. No additional authentication or user interaction beyond connecting to the malicious server is required [2][4].

Impact

Successfully exploiting this vulnerability can cause a denial of service (crash) or potentially lead to information disclosure. The improperly handled zero-length UID may trigger memory corruption or reveal unintended data. The exact impact depends on the surrounding code, but the official description notes an "issue" due to mishandling, and the commit message indicates a missing check that could lead to undefined behavior [2][4].

Mitigation

Users should upgrade to Mutt 1.10.1 or later, or NeoMutt 2018-07-16 or later. These versions include the fix that validates UID length in fetch_uidl. The Gentoo security advisory GLSA 201810-07 recommends the upgrade and notes that no workaround is available [2]. The fix is public in the Mutt repository [4].

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Mutt/Muttllm-fuzzy
Range: <=1.10.0
Neomutt/Neomuttllm-fuzzy
Range: <2018-07-16
osv-coords11 versions
pkg:rpm/opensuse/mutt&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/neomutt&distro=openSUSE%20Tumbleweed pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATA pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3
< 2.0.7-2.2+ 10 more
- (no CPE)range: < 2.0.7-2.2
- (no CPE)range: < 20210205-3.3
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.10.1-3.3.4
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.5.17-42.43.1
- (no CPE)range: < 1.10.1-55.3.1

Patches

6a147a62cf39

merge: NeoMutt 2018-07-16

https://github.com/neomutt/neomuttRichard RussonJul 16, 2018via osv

commit

41 files changed · +20281 −20118

auto.def+1 −1 modified

@@ -14,7 +14,7 @@ use system cc cc-lib mutt-gettext mutt-iconv
 ###############################################################################
 # Names and versions
 define PACKAGE          "neomutt"
-define PACKAGE_VERSION  "20180622"
+define PACKAGE_VERSION  "20180716"
 define BUGS_ADDRESS     "neomutt-devel@neomutt.org"
 
 # Subdirectories that contain additional Makefile.autosetup files

ChangeLog.md+6 −0 modified

@@ -1,3 +1,9 @@
+2018-07-16  Richard Russon  <rich@flatcap.org>
+* Features
+  - <check-stats> function
+* Bug Fixes
+  - Lots
+
 2018-06-22  Richard Russon  <rich@flatcap.org>
 * Features
   - Expand variables inside backticks

doxygen/doxygen.conf+1 −1 modified

@@ -25,7 +25,7 @@ PROJECT_NAME           = "NeoMutt"
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 2018-06-22
+PROJECT_NUMBER         = 2018-07-16
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

imap/auth_plain.c+2 −1 modified

@@ -77,7 +77,8 @@ enum ImapAuthRes imap_auth_plain(struct ImapData *idata, const char *method)
     }
     if (rc == IMAP_CMD_RESPOND)
     {
-      mutt_str_strcat(buf + sizeof(auth_plain_cmd), sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
+      mutt_str_strcat(buf + sizeof(auth_plain_cmd),
+                      sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
       mutt_socket_send(idata->conn, buf + sizeof(auth_plain_cmd));
     }
   }

imap/imap.c+2 −2 modified

@@ -1730,8 +1730,8 @@ int imap_subscribe(char *path, bool subscribe)
     mutt_buffer_init(&err);
     err.data = errstr;
     err.dsize = sizeof(errstr);
-	len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
-	imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
+    len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
+    imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
     if (mutt_parse_rc_line(mbox, &token, &err))
       mutt_debug(1, "Error adding subscribed mailbox: %s\n", errstr);
     FREE(&token.data);

.mailmap+4 −1 modified

@@ -61,6 +61,7 @@ Jakub Jindra <jakub.jindra@socialbakers.com>                    Jakub Jindra <j
 Jakub Wilk <jwilk@jwilk.net>                                    Jakub Wilk <jwilk@jwilk.net>                             # @jwilk
 Jelle van der Waa <jelle@vdwaa.nl>                              Jelle van der Waa <jelle@vdwaa.nl>                       # @jelly
 Jenya Sovetkin <e.sovetkin@gmail.com>                           Jenya Sovetkin <e.sovetkin@gmail.com>                    # @esovetkin
+JerikoOne <jeriko.one@gmx.us>                                   JerikoOne <jeriko.one@gmx.us>                            # @jeriko-one
 Joey Pabalinas <joeypabalinas@gmail.com>                        Joey Pabalinas <joeypabalinas@gmail.com>                 # @alyptik
 Johannes Weißl <jargon@molb.org>                               Johannes Weißl <jargon@molb.org>                        # @weisslj
 Jonathan Perkin <jperkin@netbsd.org>                            Jonathan Perkin <jperkin@netbsd.org>                     # @jperkin
@@ -80,6 +81,7 @@ Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <m
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <mrajner@lenovo>                           # @mrajner
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner lenovo <mrajner@gik.pw.edu.pl>             # @mrajner
 Marco Hinz <mh.codebro@gmail.com>                               Marco Hinz <mh.codebro@gmail.com>                        # @mhinz
+Marco Sirabella <marco@sirabella.org>                           Marco Sirabella <marco@sirabella.org>                    # @mjsir911
 Marius Gedminas <marius@gedmin.as>                              Marius Gedminas <marius@gedmin.as>                       # @mgedmin
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi ABAAKOUK <sileht@sileht.net>                       # @sileht
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi Abaakouk <sileht@sileht.net>                       # @sileht
@@ -156,7 +158,8 @@ Andreas Jobs <unknown>                                          Andreas Jobs <un
 Andrew Gaul <andrew@gaul.org>                                   Andrew Gaul <andrew@gaul.org>
 Andrew Nosenko <awn@bcs.zp.ua>                                  Andrew W. Nosenko <awn@bcs.zp.ua>
 Antoine Reilles <tonio@netbsd.org>                              Antoine Reilles <tonio@netbsd.org>
-Anton Lindqvist <anton.lindqvist@gmail.com>                     Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton@basename.se>
 Armin Wolfermann <aw@osn.de>                                    Armin Wolfermann <aw@osn.de>
 Aron Griffis <agriffis@n01se.net>                               Aron Griffis <agriffis@n01se.net>
 Athanasios Douitsis <aduitsis@gmail.com>                        Athanasios Douitsis <aduitsis@gmail.com>

newsrc.c+2 −1 modified

@@ -601,7 +601,8 @@ int nntp_add_group(char *line, void *data)
     return 0;
 
   /* These sscanf limits must match the sizes of the group and desc arrays */
-  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4)
+  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last,
+             &first, &mod, desc) < 4)
   {
     mutt_debug(4, "Cannot parse server line: %s\n", line);
     return 0;

nntp.c+1 −1 modified

@@ -1289,7 +1289,7 @@ static int nntp_fetch_headers(struct Context *ctx, void *hc, anum_t first,
   fc.restore = restore;
   fc.messages = mutt_mem_calloc(last - first + 1, sizeof(unsigned char));
   if (fc.messages == NULL)
-	  return -1;
+    return -1;
 #ifdef USE_HCACHE
   fc.hc = hc;
 #endif

pattern.c+8 −8 modified

@@ -1885,13 +1885,13 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_SENDER:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1,
-                                        h->env->sender));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->sender));
     case MUTT_FROM:
       if (!h->env)
         return 0;
-      return (pat->not ^
-              match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1, h->env->from));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->from));
     case MUTT_TO:
       if (!h->env)
         return 0;
@@ -1924,14 +1924,14 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_ADDRESS:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 4,
-                                        h->env->from, h->env->sender,
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        4, h->env->from, h->env->sender,
                                         h->env->to, h->env->cc));
     case MUTT_RECIPIENT:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 2,
-                                        h->env->to, h->env->cc));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        2, h->env->to, h->env->cc));
     case MUTT_LIST: /* known list, subscribed or not */
       if (!h->env)
         return 0;

po/bg.po+675 −670 modified
po/ca.po+675 −670 modified
po/cs.po+675 −670 modified
po/da.po+675 −670 modified
po/de.po+675 −670 modified
po/el.po+675 −670 modified
po/en_GB.po+674 −670 modified
po/eo.po+675 −670 modified
po/es.po+675 −670 modified
po/et.po+675 −670 modified
po/eu.po+675 −670 modified
po/fr.po+675 −670 modified
po/ga.po+675 −670 modified
po/gl.po+675 −670 modified
po/hu.po+675 −670 modified
po/id.po+675 −670 modified
po/it.po+675 −670 modified
po/ja.po+675 −670 modified
po/ko.po+675 −670 modified
po/lt.po+675 −670 modified
po/nl.po+675 −670 modified
po/pl.po+675 −670 modified
po/pt_BR.po+675 −670 modified
po/ru.po+675 −670 modified
po/sk.po+675 −670 modified
po/sv.po+675 −670 modified
po/tr.po+675 −670 modified
po/uk.po+675 −670 modified
po/zh_CN.po+675 −670 modified
po/zh_TW.po+675 −670 modified

README.md+3 −1 modified

@@ -2,7 +2,7 @@
 
 [![Stars](https://img.shields.io/github/stars/neomutt/neomutt.svg?style=social&label=Stars)](https://github.com/neomutt/neomutt "Give us a Star")
 [![Twitter](https://img.shields.io/twitter/follow/NeoMutt_Org.svg?style=social&label=Follow)](https://twitter.com/NeoMutt_Org "Follow us on Twitter")
-[![Contributors](https://img.shields.io/badge/Contributors-127-orange.svg)](#contributors "All of NeoMutt's Contributors")
+[![Contributors](https://img.shields.io/badge/Contributors-132-orange.svg)](#contributors "All of NeoMutt's Contributors")
 [![Release](https://img.shields.io/github/release/neomutt/neomutt.svg)](https://github.com/neomutt/neomutt/releases/latest "Latest Release Notes")
 [![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://github.com/neomutt/neomutt/blob/master/COPYRIGHT.md "Copyright Statement")
 [![Code build](https://img.shields.io/travis/neomutt/neomutt.svg?label=code)](https://travis-ci.org/neomutt/neomutt "Latest Automatic Code Build")
@@ -137,6 +137,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Jasper Adriaanse](https://github.com/jasperla "jasperla"),
 [Jelle van der Waa](https://github.com/jelly "jelly"),
 [Jenya Sovetkin](https://github.com/esovetkin "esovetkin"),
+[JerikoOne](https://github.com/jeriko-one "jeriko-one"),
 [Joey Pabalinas](https://github.com/alyptik "alyptik"),
 [Johannes Frankenau](https://github.com/tsuflux "tsuflux"),
 [Johannes Weißl](https://github.com/weisslj "weisslj"),
@@ -156,6 +157,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Manos Pitsidianakis](https://github.com/epilys "epilys"),
 [Marcin Rajner](https://github.com/mrajner "mrajner"),
 [Marco Hinz](https://github.com/mhinz "mhinz"),
+[Marco Sirabella](https://github.com/mjsir911 "mjsir911"),
 [Marius Gedminas](https://github.com/mgedmin "mgedmin"),
 [Mateusz Piotrowski](https://github.com/0mp "0mp"),
 [Matteo Vescovi](https://github.com/mfvescovi "mfvescovi"),

send.c+2 −1 modified

@@ -1076,7 +1076,8 @@ struct Address *mutt_default_from(void)
 
   if (From)
     addr = mutt_addr_copy(From);
-  else {
+  else
+  {
     addr = mutt_addr_new();
     if (UseDomain)
     {

93b8ac558752

Ensure UID in fetch_uidl

https://github.com/neomutt/neomuttJerikoOneJul 7, 2018via osv

commit

1 file changed · +4 −0

pop.c+4 −0 modified

@@ -202,6 +202,10 @@ static int fetch_uidl(char *line, void *data)
     endp++;
   memmove(line, endp, strlen(endp) + 1);
 
+  /* uid must be at least be 1 byte */
+  if (strlen(line) == 0)
+    return -1;
+
   for (i = 0; i < ctx->msgcount; i++)
     if (mutt_str_strcmp(line, ctx->hdrs[i]->data) == 0)
       break;

ed9d7727dc70

https://gitlab.com/muttmua/muttvia osv

commit

e154cba1b3fc

https://gitlab.com/muttmua/muttvia osv

commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

security.gentoo.org/glsa/201810-07mitrevendor-advisoryx_refsource_GENTOO
usn.ubuntu.com/3719-3/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2018/dsa-4277mitrevendor-advisoryx_refsource_DEBIAN
www.mutt.org/news.htmlmitrex_refsource_MISC
github.com/neomutt/neomutt/commit/93b8ac558752d09e1c56d4f1bc82631316fa9c82mitrex_refsource_MISC
gitlab.com/muttmua/mutt/commit/e154cba1b3fc52bb8cb8aa846353c0db79b5d9c6mitrex_refsource_MISC
lists.debian.org/debian-lts-announce/2018/08/msg00001.htmlmitremailing-listx_refsource_MLIST
neomutt.org/2018/07/16/releasemitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000