CVE-2021-32055 – CVE-2021-32055 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2021-32055?

CVE-2021-32055 has a CVSS score of 9.1 (CRITICAL). CVE-2021-32055 is an out-of-bounds read vulnerability in Mutt and NeoMutt email clients when processing malformed IMAP sequence sets with QRESYNC enabled. This could allow attackers to read sensitive memory contents or cause application crashes. Only users with the non-default $imap_qresync setting enabled are affected.

📋 TL;DR

CVE-2021-32055 is an out-of-bounds read vulnerability in Mutt and NeoMutt email clients when processing malformed IMAP sequence sets with QRESYNC enabled. This could allow attackers to read sensitive memory contents or cause application crashes. Only users with the non-default $imap_qresync setting enabled are affected.

💻 Affected Systems

Products:

Mutt
NeoMutt

Versions: Mutt 1.11.0 through 2.0.6, NeoMutt 2019-10-25 through 2021-05-04

Operating Systems: All platforms running affected Mutt/NeoMutt versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when $imap_qresync setting is explicitly enabled (disabled by default). QRESYNC is an IMAP extension for mailbox synchronization.

📦 What is this software?

Mutt by Mutt

View all CVEs affecting Mutt →

Neomutt by Neomutt

View all CVEs affecting Neomutt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potentially including authentication credentials or email content, leading to complete compromise of email accounts.

🟠

Likely Case

Application crash (denial of service) when processing specially crafted IMAP responses from a malicious server.

🟢

If Mitigated

No impact since the vulnerable feature is disabled by default and requires explicit configuration.

🌐 Internet-Facing: MEDIUM - Requires connecting to a malicious IMAP server, which is plausible for email clients.

🏢 Internal Only: LOW - Requires internal malicious IMAP server, which is less likely in controlled environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious IMAP server that the client connects to, and the client must have QRESYNC enabled. The attacker needs to control or compromise an IMAP server that the victim connects to.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Mutt 2.0.7, NeoMutt after 2021-05-04

Vendor Advisory: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20210503/000036.html

Restart Required: Yes

Instructions:

1. Update Mutt to version 2.0.7 or later. 2. Update NeoMutt to a version after 2021-05-04. 3. Restart the Mutt/NeoMutt application after updating.

🔧 Temporary Workarounds

Disable QRESYNC feature

all

Disable the vulnerable $imap_qresync setting in Mutt/NeoMutt configuration

Add 'unset imap_qresync' to your .muttrc or neomuttrc configuration file

🧯 If You Can't Patch

Disable $imap_qresync setting in configuration files
Avoid connecting to untrusted or unknown IMAP servers

🔍 How to Verify

Check if Vulnerable:

Check if $imap_qresync is set in your configuration and verify Mutt/NeoMutt version is in affected range

Check Version:

mutt -v | grep 'Mutt' or neomutt -v | grep 'NeoMutt'

Verify Fix Applied:

Verify Mutt version is 2.0.7+ or NeoMutt version is after 2021-05-04, and check that $imap_qresync is either unset or disabled

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults when processing IMAP responses
Error messages related to IMAP sequence parsing

Network Indicators:

Connections to suspicious or unknown IMAP servers

SIEM Query:

process_name IN ('mutt', 'neomutt') AND event_type='crash'

📊 Metadata

CVE ID: CVE-2021-32055

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: May 5, 2021

Last Updated: November 21, 2024

🔗 References

http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20210503/000036.html Mailing List,Vendor Advisory
https://github.com/neomutt/neomutt/commit/fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc Patch,Third Party Advisory
https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5 Patch,Third Party Advisory
https://security.gentoo.org/glsa/202105-05 Third Party Advisory
http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20210503/000036.html Mailing List,Vendor Advisory
https://github.com/neomutt/neomutt/commit/fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc Patch,Third Party Advisory
https://gitlab.com/muttmua/mutt/-/commit/7c4779ac24d2fb68a2a47b58c7904118f40965d5 Patch,Third Party Advisory
https://security.gentoo.org/glsa/202105-05 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32055, you might also want to check these: