{"id":"CVE-2018-14359","details":"An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They have a buffer overflow via base64 data.","modified":"2026-04-16T06:21:00.386143404Z","published":"2018-07-17T17:29:00.810Z","related":["SUSE-SU-2018:2084-1","SUSE-SU-2018:2085-1","SUSE-SU-2018:2403-1","SUSE-SU-2019:1196-1","openSUSE-SU-2024:11069-1","openSUSE-SU-2024:11079-1"],"references":[{"type":"ADVISORY","url":"https://usn.ubuntu.com/3719-2/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4277"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html"},{"type":"ADVISORY","url":"https://neomutt.org/2018/07/16/release"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3719-3/"},{"type":"ADVISORY","url":"http://www.mutt.org/news.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201810-07"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3719-1/"},{"type":"FIX","url":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85"},{"type":"FIX","url":"https://gitlab.com/muttmua/mutt/commit/3d9028fec8f4d08db2251096307c0bbbebce669a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/muttmua/mutt","events":[{"introduced":"0"},{"fixed":"ed9d7727dc705754871e31cb41420f0ea956495b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.10.1"}]}},{"type":"GIT","repo":"https://github.com/neomutt/neomutt","events":[{"introduced":"0"},{"fixed":"6a147a62cf39c2a12cf2e96a8a62f378164548fa"},{"fixed":"6f163e07ae68654d7ac5268cbb7565f6df79ad85"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"20180716"}]}},{"type":"GIT","repo":"https://gitlab.com/muttmua/mutt","events":[{"introduced":"0"},{"fixed":"3d9028fec8f4d08db2251096307c0bbbebce669a"}]}],"versions":["mutt-0-92-10i","mutt-0-92-11i","mutt-0-92-9i","mutt-0-93-unstable","mutt-0-94-10i-rel","mutt-0-94-13-rel","mutt-0-94-14-rel","mutt-0-94-15-rel","mutt-0-94-16i-rel","mutt-0-94-17i-rel","mutt-0-94-18-rel","mutt-0-94-5i-rel","mutt-0-94-6i-rel","mutt-0-94-7i-rel","mutt-0-94-8i-rel","mutt-0-94-9i-p1","mutt-0-94-9i-rel","mutt-0-95-rel","mutt-0-96-1-rel","mutt-0-96-2-slightly-post-release","mutt-0-96-3-rel","mutt-0-96-4-rel","mutt-0-96-5-rel","mutt-0-96-6-rel","mutt-0-96-7-rel","mutt-0-96-8-rel","mutt-0-96-rel","mutt-1-1-1-1-rel","mutt-1-1-1-2-rel","mutt-1-1-1-rel","mutt-1-1-10-rel","mutt-1-1-11-rel","mutt-1-1-12-rel","mutt-1-1-13-rel","mutt-1-1-14-rel","mutt-1-1-2-rel","mutt-1-1-3-rel","mutt-1-1-4-rel","mutt-1-1-5-rel","mutt-1-1-6-rel","mutt-1-1-7-rel","mutt-1-1-8-rel","mutt-1-1-9-rel","mutt-1-1-rel","mutt-1-10-rel","mutt-1-3-1-rel","mutt-1-3-10-rel","mutt-1-3-11-rel","mutt-1-3-12-rel","mutt-1-3-13-rel","mutt-1-3-14-rel","mutt-1-3-15-rel","mutt-1-3-16-rel","mutt-1-3-17-rel","mutt-1-3-18-rel","mutt-1-3-19-rel","mutt-1-3-2-rel","mutt-1-3-20-rel","mutt-1-3-21-rel","mutt-1-3-22-1-rel","mutt-1-3-22-rel","mutt-1-3-23-1-rel","mutt-1-3-23-2-rel","mutt-1-3-23-rel","mutt-1-3-24-rel","mutt-1-3-25-rel","mutt-1-3-26-rel","mutt-1-3-27-rel","mutt-1-3-3-rel","mutt-1-3-4-rel","mutt-1-3-5-rel","mutt-1-3-6-rel","mutt-1-3-7-rel","mutt-1-3-8-rel","mutt-1-3-9-rel","mutt-1-3-rel","mutt-1-5-1-rel","mutt-1-5-15-rel","mutt-1-5-16-rel","mutt-1-5-17-rel","mutt-1-5-18-rel","mutt-1-5-19-rel","mutt-1-5-2-rel","mutt-1-5-20-rel","mutt-1-5-21-rel","mutt-1-5-22-rel","mutt-1-5-24-rel","mutt-1-5-3-rel","mutt-1-5-4-rel","mutt-1-5-5-1-rel","mutt-1-5-5-rel","mutt-1-5-6-rel","mutt-1-6-rel","mutt-1-7-rel","mutt-1-8-rel","mutt-1-9-rel","neomutt-20160822","neomutt-20160827","neomutt-20160910","neomutt-20160916","neomutt-20161002","neomutt-20161003","neomutt-20161014","neomutt-20161028","neomutt-20161104","neomutt-20161126","neomutt-20170113","neomutt-20170128","neomutt-20170206","neomutt-20170225","neomutt-20170306","neomutt-20170414","neomutt-20170421","neomutt-20170428","neomutt-20170526","neomutt-20170602","neomutt-20170609","neomutt-20170707","neomutt-20170714","neomutt-20170907","neomutt-20170912","neomutt-20171006","neomutt-20171013","neomutt-20171027","neomutt-20171208","neomutt-20171215","neomutt-20180223","neomutt-20180323","neomutt-20180512","neomutt-20180622","post-type-punning-patch","pre-type-punning-patch"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["153768277961060167864334285826259419747","102268880672857639220045249823794651890","91963911374221633154355755486277580914","228759954250912812009968627975196126421","306061266471845467852255193353802948648","12237949386884273278726263633432751461","108567359504359056847420018003873049691","168973084933297240702217529218584275067","317984738147789818840482034184599928029","131274440305093870320785988238640241765","5235631967516439438139742220922542574","206970560610027266653948930343907943239","332918148049357413899187196729262046995","49193754112955113564034482528918717584","56768711447245246226032957527712743555"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"base64.c"},"id":"CVE-2018-14359-05af4793","source":"https://gitlab.com/muttmua/mutt@3d9028fec8f4d08db2251096307c0bbbebce669a","deprecated":false},{"digest":{"line_hashes":["170621448793913924944827456610963459441","231613305411183898125425092925340835388","57674962492841657633648559763767418872","190383585417449404916987809431088647236","189195781954732653695087252928033367904","231613305411183898125425092925340835388","126345241363695084450643957157535123394","146698483804155661625341057630495795170"],"threshold":0.9},"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","signature_version":"v1","target":{"file":"imap/auth_gss.c"},"id":"CVE-2018-14359-104821c6","deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"59477742291857329756021059346635954403","length":1916},"signature_type":"Function","signature_version":"v1","target":{"function":"imap_auth_cram_md5","file":"imap/auth_cram.c"},"id":"CVE-2018-14359-1594a896","source":"https://gitlab.com/muttmua/mutt@3d9028fec8f4d08db2251096307c0bbbebce669a","deprecated":false},{"digest":{"function_hash":"321899208950797129745099103492249859456","length":384},"signature_type":"Function","signature_version":"v1","target":{"function":"test_base64_decode","file":"test/base64.c"},"id":"CVE-2018-14359-2c110996","source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","deprecated":false},{"digest":{"line_hashes":["99127541401354891968740557499048691410","218563553126289063637091620286088531771","65314913672063152893460603808902691784","278178332204841455012917146465815669346","69116229459518722593479613001259113566","12237949386884273278726263633432751461","108567359504359056847420018003873049691","168973084933297240702217529218584275067","317984738147789818840482034184599928029","131274440305093870320785988238640241765","5235631967516439438139742220922542574","206970560610027266653948930343907943239","332918148049357413899187196729262046995","49193754112955113564034482528918717584","56768711447245246226032957527712743555"],"threshold":0.9},"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","signature_version":"v1","target":{"file":"mutt/base64.c"},"id":"CVE-2018-14359-31d688cf","deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"107395427896516810086388856770809137549","length":840},"source":"https://gitlab.com/muttmua/mutt@3d9028fec8f4d08db2251096307c0bbbebce669a","signature_version":"v1","target":{"function":"mutt_from_base64","file":"base64.c"},"id":"CVE-2018-14359-3e4a8dc1","deprecated":false,"signature_type":"Function"},{"digest":{"function_hash":"1638323998950492409601115114444522290","length":863},"signature_type":"Function","signature_version":"v1","target":{"function":"rfc2047_decode_word","file":"mutt/rfc2047.c"},"id":"CVE-2018-14359-4a8bcc6e","deprecated":false,"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85"},{"digest":{"function_hash":"71677689253177498109790607719914175581","length":964},"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","signature_version":"v1","target":{"function":"test_base64_lengths","file":"test/base64.c"},"id":"CVE-2018-14359-50da5f3a","deprecated":false,"signature_type":"Function"},{"digest":{"function_hash":"175135246146244314402470571595301272970","length":900},"signature_type":"Function","signature_version":"v1","target":{"function":"mutt_b64_decode","file":"mutt/base64.c"},"id":"CVE-2018-14359-63920874","deprecated":false,"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85"},{"digest":{"line_hashes":["105792336995991705091679605878165018059","197353339740669470422273964615458660047","313735985207332729977821800188565738264","255805326377243998192486085405375263975","301395139188139896051096331662722817812","197353339740669470422273964615458660047","206593214266595156151305797660451613434","137067073770485052816948117490727385077"],"threshold":0.9},"deprecated":false,"signature_version":"v1","target":{"file":"imap/auth_gss.c"},"signature_type":"Line","source":"https://gitlab.com/muttmua/mutt@3d9028fec8f4d08db2251096307c0bbbebce669a","id":"CVE-2018-14359-70a0d26f"},{"digest":{"line_hashes":["64208782740477900985491802964397504718","284443301940441747854294835906975137245","183757353808180020615871866575762758309","8460128022264047499354644747027208738","36839972933906608377550681745011318206"],"threshold":0.9},"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","signature_version":"v1","target":{"file":"mutt/rfc2047.c"},"id":"CVE-2018-14359-9f5a3eb9","deprecated":false,"signature_type":"Line"},{"digest":{"line_hashes":["320039300503735351256676807857701994002","110249849427719621708798847244046893228","34915653126548549687352784277821707392","304798962263562364598766114544599172252"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"protos.h"},"id":"CVE-2018-14359-a1d6c0af","source":"https://gitlab.com/muttmua/mutt@3d9028fec8f4d08db2251096307c0bbbebce669a","deprecated":false},{"digest":{"function_hash":"92302804572294578203596709881741638820","length":5336},"deprecated":false,"signature_version":"v1","target":{"function":"imap_auth_gss","file":"imap/auth_gss.c"},"signature_type":"Function","source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","id":"CVE-2018-14359-a7f611d8"},{"digest":{"line_hashes":["222738012797999195196208749687944918770","263547822552747103974869527851325912787","121150018590884657007472397488336408883","112773414599001632559095594431014451978","141160149137700310356313514980651373321","57272758479076932482525074747905917989","139131822801831335490898329306531073850","265645493996670597783275711526280753912","181925229516136098307300524165073184045","265477729022385411795722729377075955004","221872957325402020560929402050848774224","60561988406277786327274450663046903590"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"test/base64.c"},"id":"CVE-2018-14359-ac63d2b4","deprecated":false,"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85"},{"digest":{"line_hashes":["59764822133063358401313791150907963958","321681706942428886573620265781489635405","118146097623429047065828181292538072095","161050960662701466156054628727776605634"],"threshold":0.9},"source":"https://gitlab.com/muttmua/mutt@3d9028fec8f4d08db2251096307c0bbbebce669a","signature_version":"v1","target":{"file":"imap/auth_cram.c"},"id":"CVE-2018-14359-bb0c697f","deprecated":false,"signature_type":"Line"},{"digest":{"line_hashes":["62505678466117443887763921933813840273","326212190986600335583073669470236954760"],"threshold":0.9},"source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","signature_version":"v1","target":{"file":"mutt/base64.h"},"id":"CVE-2018-14359-c639f3d2","deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"81823740530474063100869658341022898786","length":1592},"signature_type":"Function","signature_version":"v1","target":{"function":"imap_auth_cram_md5","file":"imap/auth_cram.c"},"id":"CVE-2018-14359-cd4d3254","source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","deprecated":false},{"digest":{"line_hashes":["203564807413086737557197163884376929581","117786898421718050285789808502564053871","188886481078498107276638481084845740351","276291823225065957726669073947937007611"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","target":{"file":"imap/auth_cram.c"},"id":"CVE-2018-14359-eb3a80a2","source":"https://github.com/neomutt/neomutt/commit/6f163e07ae68654d7ac5268cbb7565f6df79ad85","deprecated":false},{"digest":{"function_hash":"109547242779399272451787572706066289512","length":5734},"signature_type":"Function","signature_version":"v1","target":{"function":"imap_auth_gss","file":"imap/auth_gss.c"},"id":"CVE-2018-14359-f79d19cf","deprecated":false,"source":"https://gitlab.com/muttmua/mutt@3d9028fec8f4d08db2251096307c0bbbebce669a"}],"vanir_signatures_modified":"2026-04-11T12:27:32Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14359.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}