Unrated severityNVD Advisory· Published Jul 17, 2018· Updated Aug 5, 2024

CVE-2018-14360

Description

An issue was discovered in NeoMutt before 2018-07-16. nntp_add_group in newsrc.c has a stack-based buffer overflow because of incorrect sscanf usage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NeoMutt before 2018-07-16 has a stack buffer overflow in nntp_add_group due to missing sscanf length limits, enabling potential remote code execution.

Vulnerability

A stack-based buffer overflow exists in the nntp_add_group function in newsrc.c of NeoMutt versions prior to the 2018-07-16 release. The vulnerability arises from incorrect use of sscanf without length modifiers when parsing NNTP server responses. Specifically, the group buffer (of size LONG_STRING, typically 1024 bytes) and the desc buffer (of size HUGE_STRING, typically 8192 bytes) are written to without bounds checking, allowing an attacker to overflow the stack if a crafted response is provided [1].

Exploitation

An attacker can exploit this vulnerability by controlling an NNTP server that the victim's NeoMutt client connects to. No authentication is required; the attacker simply sends a malicious NNTP response containing an overly long group name or description. The sscanf call with %s and %[^\n] format specifiers will write beyond the allocated stack buffers, causing a buffer overflow [1]. The attack does not require user interaction beyond the client connecting to the malicious server.

Impact

Successful exploitation of the stack buffer overflow can lead to arbitrary code execution in the context of the user running NeoMutt. This could allow an attacker to compromise the user's system, potentially gaining full control over the affected host. The impact is high, as it enables remote code execution without authentication [2].

Mitigation

The vulnerability is fixed in NeoMutt release 2018-07-16 [2]. Users are strongly advised to upgrade to this version or later. The fix introduces length modifiers in the sscanf call to limit the number of characters read into the group and desc buffers, preventing overflow [1]. No workarounds are documented; upgrading is the recommended mitigation.

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Neomutt/Neomuttllm-fuzzy
Range: <2018-07-16
osv-coords6 versions
pkg:rpm/opensuse/mutt&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/neomutt&distro=openSUSE%20Tumbleweed pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3 pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3
< 2.0.7-2.2+ 5 more
- (no CPE)range: < 2.0.7-2.2
- (no CPE)range: < 20210205-3.3
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.10.1-3.3.4
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.10.1-55.3.1

Patches

6a147a62cf39

merge: NeoMutt 2018-07-16

https://github.com/neomutt/neomuttRichard RussonJul 16, 2018via osv

commit

41 files changed · +20281 −20118

auto.def+1 −1 modified

@@ -14,7 +14,7 @@ use system cc cc-lib mutt-gettext mutt-iconv
 ###############################################################################
 # Names and versions
 define PACKAGE          "neomutt"
-define PACKAGE_VERSION  "20180622"
+define PACKAGE_VERSION  "20180716"
 define BUGS_ADDRESS     "neomutt-devel@neomutt.org"
 
 # Subdirectories that contain additional Makefile.autosetup files

ChangeLog.md+6 −0 modified

@@ -1,3 +1,9 @@
+2018-07-16  Richard Russon  <rich@flatcap.org>
+* Features
+  - <check-stats> function
+* Bug Fixes
+  - Lots
+
 2018-06-22  Richard Russon  <rich@flatcap.org>
 * Features
   - Expand variables inside backticks

doxygen/doxygen.conf+1 −1 modified

@@ -25,7 +25,7 @@ PROJECT_NAME           = "NeoMutt"
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 2018-06-22
+PROJECT_NUMBER         = 2018-07-16
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

imap/auth_plain.c+2 −1 modified

@@ -77,7 +77,8 @@ enum ImapAuthRes imap_auth_plain(struct ImapData *idata, const char *method)
     }
     if (rc == IMAP_CMD_RESPOND)
     {
-      mutt_str_strcat(buf + sizeof(auth_plain_cmd), sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
+      mutt_str_strcat(buf + sizeof(auth_plain_cmd),
+                      sizeof(buf) - sizeof(auth_plain_cmd), "\r\n");
       mutt_socket_send(idata->conn, buf + sizeof(auth_plain_cmd));
     }
   }

imap/imap.c+2 −2 modified

@@ -1730,8 +1730,8 @@ int imap_subscribe(char *path, bool subscribe)
     mutt_buffer_init(&err);
     err.data = errstr;
     err.dsize = sizeof(errstr);
-	len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
-	imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
+    len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un");
+    imap_quote_string(mbox + len, sizeof(mbox) - len, path, true);
     if (mutt_parse_rc_line(mbox, &token, &err))
       mutt_debug(1, "Error adding subscribed mailbox: %s\n", errstr);
     FREE(&token.data);

.mailmap+4 −1 modified

@@ -61,6 +61,7 @@ Jakub Jindra <jakub.jindra@socialbakers.com>                    Jakub Jindra <j
 Jakub Wilk <jwilk@jwilk.net>                                    Jakub Wilk <jwilk@jwilk.net>                             # @jwilk
 Jelle van der Waa <jelle@vdwaa.nl>                              Jelle van der Waa <jelle@vdwaa.nl>                       # @jelly
 Jenya Sovetkin <e.sovetkin@gmail.com>                           Jenya Sovetkin <e.sovetkin@gmail.com>                    # @esovetkin
+JerikoOne <jeriko.one@gmx.us>                                   JerikoOne <jeriko.one@gmx.us>                            # @jeriko-one
 Joey Pabalinas <joeypabalinas@gmail.com>                        Joey Pabalinas <joeypabalinas@gmail.com>                 # @alyptik
 Johannes Weißl <jargon@molb.org>                               Johannes Weißl <jargon@molb.org>                        # @weisslj
 Jonathan Perkin <jperkin@netbsd.org>                            Jonathan Perkin <jperkin@netbsd.org>                     # @jperkin
@@ -80,6 +81,7 @@ Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <m
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner <mrajner@lenovo>                           # @mrajner
 Marcin Rajner <mrajner@gik.pw.edu.pl>                           Marcin Rajner lenovo <mrajner@gik.pw.edu.pl>             # @mrajner
 Marco Hinz <mh.codebro@gmail.com>                               Marco Hinz <mh.codebro@gmail.com>                        # @mhinz
+Marco Sirabella <marco@sirabella.org>                           Marco Sirabella <marco@sirabella.org>                    # @mjsir911
 Marius Gedminas <marius@gedmin.as>                              Marius Gedminas <marius@gedmin.as>                       # @mgedmin
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi ABAAKOUK <sileht@sileht.net>                       # @sileht
 Mehdi Abaakouk <sileht@sileht.net>                              Mehdi Abaakouk <sileht@sileht.net>                       # @sileht
@@ -156,7 +158,8 @@ Andreas Jobs <unknown>                                          Andreas Jobs <un
 Andrew Gaul <andrew@gaul.org>                                   Andrew Gaul <andrew@gaul.org>
 Andrew Nosenko <awn@bcs.zp.ua>                                  Andrew W. Nosenko <awn@bcs.zp.ua>
 Antoine Reilles <tonio@netbsd.org>                              Antoine Reilles <tonio@netbsd.org>
-Anton Lindqvist <anton.lindqvist@gmail.com>                     Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton.lindqvist@gmail.com>
+Anton Lindqvist <anton@basename.se>                             Anton Lindqvist <anton@basename.se>
 Armin Wolfermann <aw@osn.de>                                    Armin Wolfermann <aw@osn.de>
 Aron Griffis <agriffis@n01se.net>                               Aron Griffis <agriffis@n01se.net>
 Athanasios Douitsis <aduitsis@gmail.com>                        Athanasios Douitsis <aduitsis@gmail.com>

newsrc.c+2 −1 modified

@@ -601,7 +601,8 @@ int nntp_add_group(char *line, void *data)
     return 0;
 
   /* These sscanf limits must match the sizes of the group and desc arrays */
-  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4)
+  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last,
+             &first, &mod, desc) < 4)
   {
     mutt_debug(4, "Cannot parse server line: %s\n", line);
     return 0;

nntp.c+1 −1 modified

@@ -1289,7 +1289,7 @@ static int nntp_fetch_headers(struct Context *ctx, void *hc, anum_t first,
   fc.restore = restore;
   fc.messages = mutt_mem_calloc(last - first + 1, sizeof(unsigned char));
   if (fc.messages == NULL)
-	  return -1;
+    return -1;
 #ifdef USE_HCACHE
   fc.hc = hc;
 #endif

pattern.c+8 −8 modified

@@ -1885,13 +1885,13 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_SENDER:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1,
-                                        h->env->sender));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->sender));
     case MUTT_FROM:
       if (!h->env)
         return 0;
-      return (pat->not ^
-              match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1, h->env->from));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        1, h->env->from));
     case MUTT_TO:
       if (!h->env)
         return 0;
@@ -1924,14 +1924,14 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags,
     case MUTT_ADDRESS:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 4,
-                                        h->env->from, h->env->sender,
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        4, h->env->from, h->env->sender,
                                         h->env->to, h->env->cc));
     case MUTT_RECIPIENT:
       if (!h->env)
         return 0;
-      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 2,
-                                        h->env->to, h->env->cc));
+      return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS),
+                                        2, h->env->to, h->env->cc));
     case MUTT_LIST: /* known list, subscribed or not */
       if (!h->env)
         return 0;

po/bg.po+675 −670 modified
po/ca.po+675 −670 modified
po/cs.po+675 −670 modified
po/da.po+675 −670 modified
po/de.po+675 −670 modified
po/el.po+675 −670 modified
po/en_GB.po+674 −670 modified
po/eo.po+675 −670 modified
po/es.po+675 −670 modified
po/et.po+675 −670 modified
po/eu.po+675 −670 modified
po/fr.po+675 −670 modified
po/ga.po+675 −670 modified
po/gl.po+675 −670 modified
po/hu.po+675 −670 modified
po/id.po+675 −670 modified
po/it.po+675 −670 modified
po/ja.po+675 −670 modified
po/ko.po+675 −670 modified
po/lt.po+675 −670 modified
po/nl.po+675 −670 modified
po/pl.po+675 −670 modified
po/pt_BR.po+675 −670 modified
po/ru.po+675 −670 modified
po/sk.po+675 −670 modified
po/sv.po+675 −670 modified
po/tr.po+675 −670 modified
po/uk.po+675 −670 modified
po/zh_CN.po+675 −670 modified
po/zh_TW.po+675 −670 modified

README.md+3 −1 modified

@@ -2,7 +2,7 @@
 
 [![Stars](https://img.shields.io/github/stars/neomutt/neomutt.svg?style=social&label=Stars)](https://github.com/neomutt/neomutt "Give us a Star")
 [![Twitter](https://img.shields.io/twitter/follow/NeoMutt_Org.svg?style=social&label=Follow)](https://twitter.com/NeoMutt_Org "Follow us on Twitter")
-[![Contributors](https://img.shields.io/badge/Contributors-127-orange.svg)](#contributors "All of NeoMutt's Contributors")
+[![Contributors](https://img.shields.io/badge/Contributors-132-orange.svg)](#contributors "All of NeoMutt's Contributors")
 [![Release](https://img.shields.io/github/release/neomutt/neomutt.svg)](https://github.com/neomutt/neomutt/releases/latest "Latest Release Notes")
 [![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://github.com/neomutt/neomutt/blob/master/COPYRIGHT.md "Copyright Statement")
 [![Code build](https://img.shields.io/travis/neomutt/neomutt.svg?label=code)](https://travis-ci.org/neomutt/neomutt "Latest Automatic Code Build")
@@ -137,6 +137,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Jasper Adriaanse](https://github.com/jasperla "jasperla"),
 [Jelle van der Waa](https://github.com/jelly "jelly"),
 [Jenya Sovetkin](https://github.com/esovetkin "esovetkin"),
+[JerikoOne](https://github.com/jeriko-one "jeriko-one"),
 [Joey Pabalinas](https://github.com/alyptik "alyptik"),
 [Johannes Frankenau](https://github.com/tsuflux "tsuflux"),
 [Johannes Weißl](https://github.com/weisslj "weisslj"),
@@ -156,6 +157,7 @@ Here's a list of everyone who's helped NeoMutt:
 [Manos Pitsidianakis](https://github.com/epilys "epilys"),
 [Marcin Rajner](https://github.com/mrajner "mrajner"),
 [Marco Hinz](https://github.com/mhinz "mhinz"),
+[Marco Sirabella](https://github.com/mjsir911 "mjsir911"),
 [Marius Gedminas](https://github.com/mgedmin "mgedmin"),
 [Mateusz Piotrowski](https://github.com/0mp "0mp"),
 [Matteo Vescovi](https://github.com/mfvescovi "mfvescovi"),

send.c+2 −1 modified

@@ -1076,7 +1076,8 @@ struct Address *mutt_default_from(void)
 
   if (From)
     addr = mutt_addr_copy(From);
-  else {
+  else
+  {
     addr = mutt_addr_new();
     if (UseDomain)
     {

6296f7153f0c

Set length modifiers for group and desc

https://github.com/neomutt/neomuttJerikoOneJul 3, 2018via osv

commit

1 file changed · +6 −2

newsrc.c+6 −2 modified

@@ -592,16 +592,20 @@ int nntp_add_group(char *line, void *data)
 {
   struct NntpServer *nserv = data;
   struct NntpData *nntp_data = NULL;
-  char group[LONG_STRING];
+  char group[LONG_STRING] = "";
   char desc[HUGE_STRING] = "";
   char mod;
   anum_t first, last;
 
   if (!nserv || !line)
     return 0;
 
-  if (sscanf(line, "%s " ANUM " " ANUM " %c %[^\n]", group, &last, &first, &mod, desc) < 4)
+  /* These sscanf limits must match the sizes of the group and desc arrays */
+  if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4)
+  {
+    mutt_debug(4, "Cannot parse server line: %s\n", line);
     return 0;
+  }
 
   nntp_data = nntp_data_find(nserv, group);
   nntp_data->deleted = false;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.debian.org/security/2018/dsa-4277mitrevendor-advisoryx_refsource_DEBIAN
github.com/neomutt/neomutt/commit/6296f7153f0c9d5e5cd3aaf08f9731e56621bdd3mitrex_refsource_MISC
lists.debian.org/debian-lts-announce/2018/08/msg00001.htmlmitremailing-listx_refsource_MLIST
neomutt.org/2018/07/16/releasemitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000