CVE-2021-36386
Description
report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fetchmail before 6.4.20 omits vsnprintf va_list initialization in report_vbuild, potentially allowing mail servers to cause a denial of service or leak memory via long error messages.
Vulnerability
The vulnerability resides in the report_vbuild function in report.c of Fetchmail. In all supported versions up to and including 6.4.19, the call to vsnprintf sometimes omits initialization of the va_list argument, leading to undefined behavior. This can be triggered when the mail server sends an error response longer than approximately 2 kB, causing Fetchmail to read from unintended memory locations. Affected versions are those up to 6.4.19, and also 6.4.20 (which fixed the original bug but introduced a regression in buffered output that was corrected in 6.4.21). [3] The issue was originally reported for versions up to 6.3.8 and from 6.3.17 through 6.4.19, with 6.3.9–6.3.16 being unaffected. [3]
Exploitation
An attacker controlling a mail server that Fetchmail connects to can send specially crafted long protocol error messages. No authentication or user interaction from the Fetchmail client side is required beyond normal mail retrieval operations. When Fetchmail attempts to log the error message, the uninitialized va_list causes the program to read arbitrary memory, which may lead to a crash (denial of service) or exposure of sensitive data. The issue manifests only on some platforms or configurations. [2][3]
Impact
Successful exploitation can result in Fetchmail crashing (denial of service), stalling inbound mail delivery, or in some cases, leaking potentially sensitive memory contents via logs. The impact is considered low because it requires a malicious mail server and the effect is often limited to a client-side crash or garbled logs. [3] The CVE description notes it is unclear whether real-world platforms see impact beyond client inconvenience. [desc]
Mitigation
Fetchmail 6.4.20 was released on 2021-07-28 to fix the va_list initialization issue, but it introduced a regression that caused message truncation when buffered output (e.g., --logfile) was used. A complete fix is available in Fetchmail 6.4.21, released on 2021-08-09, which includes both the security fix and the regression correction. Affected users should upgrade to version 6.4.21 or apply patches from Git commits c546c829 and d3db2da1. [1][3] Versions 6.3.x and older are no longer supported. [4]
- security - fetchmail 6.4.21 released/regression fix for 6.4.20's security fix, and UPDATE: fetchmail <= 6.4.19 security announcement 2021-01 (CVE-2021-36386)
- oss-security - ANNOUNCE: fetchmail <= 6.4.19 security announcement 2021-01 (CVE-2021-36386)
- https://www.fetchmail.info/fetchmail-SA-2021-01.txt
- Fetchmail Security and Errata Information
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
33- Fetchmail/Fetchmaildescription
- osv-coords32 versionspkg:rpm/almalinux/fetchmailpkg:rpm/opensuse/fetchmail&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/fetchmail&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/fetchmail&distro=openSUSE%20Tumbleweedpkg:rpm/suse/fetchmail&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/fetchmail&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/fetchmail&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/fetchmail&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/fetchmail&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/fetchmail&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/fetchmail&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/fetchmail&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 6.4.24-1.el8+ 31 more
- (no CPE)range: < 6.4.24-1.el8
- (no CPE)range: < 6.3.26-lp152.6.6.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.4.21-2.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-20.14.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
- (no CPE)range: < 6.3.26-13.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202209-14mitrevendor-advisoryx_refsource_GENTOO
- www.openwall.com/lists/oss-security/2021/07/28/5mitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2021/08/09/1mitremailing-listx_refsource_MLIST
- www.fetchmail.info/fetchmail-SA-2021-01.txtmitrex_refsource_CONFIRM
- www.fetchmail.info/security.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.