Unrated severityNVD Advisory· Published Jul 17, 2018· Updated Aug 5, 2024
CVE-2018-14361
CVE-2018-14361
Description
An issue was discovered in NeoMutt before 2018-07-16. nntp.c proceeds even if memory allocation fails for messages data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NeoMutt before 2018-07-16 has a null-pointer dereference in nntp.c when memory allocation fails during header fetch.
Vulnerability
NeoMutt versions prior to the 2018-07-16 release contain a missing null-pointer check in the nntp_fetch_headers function within nntp.c. When memory allocation for message data fails, the code continues execution without verifying the allocation result, leading to a null pointer dereference. The affected versions are all NeoMutt releases before the 2018-07-16 release.
Exploitation
An attacker who can control NNTP responses sent to a NeoMutt client can trigger a memory allocation failure, for example by sending an excessive number of headers or a crafted response that exhausts memory. No authentication is required if the client connects to a malicious NNTP server. The attacker does not need local access; the vulnerability is triggered during normal NNTP header fetching.
Impact
Successful exploitation results in a null pointer dereference, causing the NeoMutt process to crash (denial of service). Depending on the memory layout and compiler optimizations, arbitrary code execution may be possible, but the available references only confirm a crash.
Mitigation
The vulnerability is fixed in NeoMutt 2018-07-16 release [2]. Users should upgrade to this version or later. The fix adds a check for allocation failure and returns an error instead of proceeding [1]. No workarounds are documented.
References
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- osv-coords6 versionspkg:rpm/opensuse/mutt&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/neomutt&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/mutt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3
< 2.0.7-2.2+ 5 more
- (no CPE)range: < 2.0.7-2.2
- (no CPE)range: < 20210205-3.3
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.10.1-3.3.4
- (no CPE)range: < 1.10.1-55.3.1
- (no CPE)range: < 1.10.1-55.3.1
Patches
26a147a62cf39merge: NeoMutt 2018-07-16
41 files changed · +20281 −20118
auto.def+1 −1 modified@@ -14,7 +14,7 @@ use system cc cc-lib mutt-gettext mutt-iconv ############################################################################### # Names and versions define PACKAGE "neomutt" -define PACKAGE_VERSION "20180622" +define PACKAGE_VERSION "20180716" define BUGS_ADDRESS "neomutt-devel@neomutt.org" # Subdirectories that contain additional Makefile.autosetup files
ChangeLog.md+6 −0 modified@@ -1,3 +1,9 @@ +2018-07-16 Richard Russon <rich@flatcap.org> +* Features + - <check-stats> function +* Bug Fixes + - Lots + 2018-06-22 Richard Russon <rich@flatcap.org> * Features - Expand variables inside backticks
doxygen/doxygen.conf+1 −1 modified@@ -25,7 +25,7 @@ PROJECT_NAME = "NeoMutt" # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 2018-06-22 +PROJECT_NUMBER = 2018-07-16 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a
imap/auth_plain.c+2 −1 modified@@ -77,7 +77,8 @@ enum ImapAuthRes imap_auth_plain(struct ImapData *idata, const char *method) } if (rc == IMAP_CMD_RESPOND) { - mutt_str_strcat(buf + sizeof(auth_plain_cmd), sizeof(buf) - sizeof(auth_plain_cmd), "\r\n"); + mutt_str_strcat(buf + sizeof(auth_plain_cmd), + sizeof(buf) - sizeof(auth_plain_cmd), "\r\n"); mutt_socket_send(idata->conn, buf + sizeof(auth_plain_cmd)); } }
imap/imap.c+2 −2 modified@@ -1730,8 +1730,8 @@ int imap_subscribe(char *path, bool subscribe) mutt_buffer_init(&err); err.data = errstr; err.dsize = sizeof(errstr); - len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un"); - imap_quote_string(mbox + len, sizeof(mbox) - len, path, true); + len = snprintf(mbox, sizeof(mbox), "%smailboxes ", subscribe ? "" : "un"); + imap_quote_string(mbox + len, sizeof(mbox) - len, path, true); if (mutt_parse_rc_line(mbox, &token, &err)) mutt_debug(1, "Error adding subscribed mailbox: %s\n", errstr); FREE(&token.data);
.mailmap+4 −1 modified@@ -61,6 +61,7 @@ Jakub Jindra <jakub.jindra@socialbakers.com> Jakub Jindra <j Jakub Wilk <jwilk@jwilk.net> Jakub Wilk <jwilk@jwilk.net> # @jwilk Jelle van der Waa <jelle@vdwaa.nl> Jelle van der Waa <jelle@vdwaa.nl> # @jelly Jenya Sovetkin <e.sovetkin@gmail.com> Jenya Sovetkin <e.sovetkin@gmail.com> # @esovetkin +JerikoOne <jeriko.one@gmx.us> JerikoOne <jeriko.one@gmx.us> # @jeriko-one Joey Pabalinas <joeypabalinas@gmail.com> Joey Pabalinas <joeypabalinas@gmail.com> # @alyptik Johannes Weißl <jargon@molb.org> Johannes Weißl <jargon@molb.org> # @weisslj Jonathan Perkin <jperkin@netbsd.org> Jonathan Perkin <jperkin@netbsd.org> # @jperkin @@ -80,6 +81,7 @@ Marcin Rajner <mrajner@gik.pw.edu.pl> Marcin Rajner <m Marcin Rajner <mrajner@gik.pw.edu.pl> Marcin Rajner <mrajner@lenovo> # @mrajner Marcin Rajner <mrajner@gik.pw.edu.pl> Marcin Rajner lenovo <mrajner@gik.pw.edu.pl> # @mrajner Marco Hinz <mh.codebro@gmail.com> Marco Hinz <mh.codebro@gmail.com> # @mhinz +Marco Sirabella <marco@sirabella.org> Marco Sirabella <marco@sirabella.org> # @mjsir911 Marius Gedminas <marius@gedmin.as> Marius Gedminas <marius@gedmin.as> # @mgedmin Mehdi Abaakouk <sileht@sileht.net> Mehdi ABAAKOUK <sileht@sileht.net> # @sileht Mehdi Abaakouk <sileht@sileht.net> Mehdi Abaakouk <sileht@sileht.net> # @sileht @@ -156,7 +158,8 @@ Andreas Jobs <unknown> Andreas Jobs <un Andrew Gaul <andrew@gaul.org> Andrew Gaul <andrew@gaul.org> Andrew Nosenko <awn@bcs.zp.ua> Andrew W. Nosenko <awn@bcs.zp.ua> Antoine Reilles <tonio@netbsd.org> Antoine Reilles <tonio@netbsd.org> -Anton Lindqvist <anton.lindqvist@gmail.com> Anton Lindqvist <anton.lindqvist@gmail.com> +Anton Lindqvist <anton@basename.se> Anton Lindqvist <anton.lindqvist@gmail.com> +Anton Lindqvist <anton@basename.se> Anton Lindqvist <anton@basename.se> Armin Wolfermann <aw@osn.de> Armin Wolfermann <aw@osn.de> Aron Griffis <agriffis@n01se.net> Aron Griffis <agriffis@n01se.net> Athanasios Douitsis <aduitsis@gmail.com> Athanasios Douitsis <aduitsis@gmail.com>
newsrc.c+2 −1 modified@@ -601,7 +601,8 @@ int nntp_add_group(char *line, void *data) return 0; /* These sscanf limits must match the sizes of the group and desc arrays */ - if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4) + if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, + &first, &mod, desc) < 4) { mutt_debug(4, "Cannot parse server line: %s\n", line); return 0;
nntp.c+1 −1 modified@@ -1289,7 +1289,7 @@ static int nntp_fetch_headers(struct Context *ctx, void *hc, anum_t first, fc.restore = restore; fc.messages = mutt_mem_calloc(last - first + 1, sizeof(unsigned char)); if (fc.messages == NULL) - return -1; + return -1; #ifdef USE_HCACHE fc.hc = hc; #endif
pattern.c+8 −8 modified@@ -1885,13 +1885,13 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags, case MUTT_SENDER: if (!h->env) return 0; - return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1, - h->env->sender)); + return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), + 1, h->env->sender)); case MUTT_FROM: if (!h->env) return 0; - return (pat->not ^ - match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 1, h->env->from)); + return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), + 1, h->env->from)); case MUTT_TO: if (!h->env) return 0; @@ -1924,14 +1924,14 @@ int mutt_pattern_exec(struct Pattern *pat, enum PatternExecFlag flags, case MUTT_ADDRESS: if (!h->env) return 0; - return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 4, - h->env->from, h->env->sender, + return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), + 4, h->env->from, h->env->sender, h->env->to, h->env->cc)); case MUTT_RECIPIENT: if (!h->env) return 0; - return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), 2, - h->env->to, h->env->cc)); + return (pat->not ^ match_addrlist(pat, (flags & MUTT_MATCH_FULL_ADDRESS), + 2, h->env->to, h->env->cc)); case MUTT_LIST: /* known list, subscribed or not */ if (!h->env) return 0;
po/bg.po+675 −670 modifiedpo/ca.po+675 −670 modifiedpo/cs.po+675 −670 modifiedpo/da.po+675 −670 modifiedpo/de.po+675 −670 modifiedpo/el.po+675 −670 modifiedpo/en_GB.po+674 −670 modifiedpo/eo.po+675 −670 modifiedpo/es.po+675 −670 modifiedpo/et.po+675 −670 modifiedpo/eu.po+675 −670 modifiedpo/fr.po+675 −670 modifiedpo/ga.po+675 −670 modifiedpo/gl.po+675 −670 modifiedpo/hu.po+675 −670 modifiedpo/id.po+675 −670 modifiedpo/it.po+675 −670 modifiedpo/ja.po+675 −670 modifiedpo/ko.po+675 −670 modifiedpo/lt.po+675 −670 modifiedpo/nl.po+675 −670 modifiedpo/pl.po+675 −670 modifiedpo/pt_BR.po+675 −670 modifiedpo/ru.po+675 −670 modifiedpo/sk.po+675 −670 modifiedpo/sv.po+675 −670 modifiedpo/tr.po+675 −670 modifiedpo/uk.po+675 −670 modifiedpo/zh_CN.po+675 −670 modifiedpo/zh_TW.po+675 −670 modifiedREADME.md+3 −1 modified@@ -2,7 +2,7 @@ [](https://github.com/neomutt/neomutt "Give us a Star") [](https://twitter.com/NeoMutt_Org "Follow us on Twitter") -[](#contributors "All of NeoMutt's Contributors") +[](#contributors "All of NeoMutt's Contributors") [](https://github.com/neomutt/neomutt/releases/latest "Latest Release Notes") [](https://github.com/neomutt/neomutt/blob/master/COPYRIGHT.md "Copyright Statement") [](https://travis-ci.org/neomutt/neomutt "Latest Automatic Code Build") @@ -137,6 +137,7 @@ Here's a list of everyone who's helped NeoMutt: [Jasper Adriaanse](https://github.com/jasperla "jasperla"), [Jelle van der Waa](https://github.com/jelly "jelly"), [Jenya Sovetkin](https://github.com/esovetkin "esovetkin"), +[JerikoOne](https://github.com/jeriko-one "jeriko-one"), [Joey Pabalinas](https://github.com/alyptik "alyptik"), [Johannes Frankenau](https://github.com/tsuflux "tsuflux"), [Johannes Weißl](https://github.com/weisslj "weisslj"), @@ -156,6 +157,7 @@ Here's a list of everyone who's helped NeoMutt: [Manos Pitsidianakis](https://github.com/epilys "epilys"), [Marcin Rajner](https://github.com/mrajner "mrajner"), [Marco Hinz](https://github.com/mhinz "mhinz"), +[Marco Sirabella](https://github.com/mjsir911 "mjsir911"), [Marius Gedminas](https://github.com/mgedmin "mgedmin"), [Mateusz Piotrowski](https://github.com/0mp "0mp"), [Matteo Vescovi](https://github.com/mfvescovi "mfvescovi"),
send.c+2 −1 modified@@ -1076,7 +1076,8 @@ struct Address *mutt_default_from(void) if (From) addr = mutt_addr_copy(From); - else { + else + { addr = mutt_addr_new(); if (UseDomain) {
9e927affe3a0Add alloc fail check in nntp_fetch_headers
1 file changed · +2 −0
nntp.c+2 −0 modified@@ -1288,6 +1288,8 @@ static int nntp_fetch_headers(struct Context *ctx, void *hc, anum_t first, fc.last = last; fc.restore = restore; fc.messages = mutt_mem_calloc(last - first + 1, sizeof(unsigned char)); + if (fc.messages == NULL) + return -1; #ifdef USE_HCACHE fc.hc = hc; #endif
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.debian.org/security/2018/dsa-4277mitrevendor-advisoryx_refsource_DEBIAN
- github.com/neomutt/neomutt/commit/9e927affe3a021175f354af5fa01d22657c20585mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2018/08/msg00001.htmlmitremailing-listx_refsource_MLIST
- neomutt.org/2018/07/16/releasemitrex_refsource_MISC
News mentions
0No linked articles in our index yet.