{"id":"CVE-2021-3181","details":"rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.","modified":"2026-05-13T10:41:30.122306Z","published":"2021-01-19T15:15:12.327Z","related":["ALSA-2021:4181","SUSE-SU-2021:0195-1","SUSE-SU-2021:0196-1","openSUSE-SU-2021:0161-1","openSUSE-SU-2021:0162-1","openSUSE-SU-2024:11069-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"10.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"32"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","source":"CPE_FIELD"},{"extracted_events":[{"last_affected":"33"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DXGWXFO77HBCD3VYEIYHHYU33LYWWWNQ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2OMLQKAOHPYQA4GI7ZUO6UKCPUHLYO7/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/01/19/10"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/01/27/3"},{"type":"ADVISORY","url":"https://gitlab.com/muttmua/mutt/-/issues/323"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00017.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-25"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4838"},{"type":"FIX","url":"https://gitlab.com/muttmua/mutt/-/commit/4a2becbdb4422aaffe3ce314991b9d670b7adf17"},{"type":"FIX","url":"https://gitlab.com/muttmua/mutt/-/commit/939b02b33ae29bc0d642570c1dcfd4b339037d19"},{"type":"FIX","url":"https://gitlab.com/muttmua/mutt/-/commit/d4305208955c5cdd9fe96dfa61e7c1e14e176a14"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/muttmua/mutt","events":[{"introduced":"0"},{"last_affected":"26f41dd1f7678fc7e09ebc88167c4c6a51b6f4a5"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.0.4"}],"cpe":"cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["mutt-0-92-10i","mutt-0-92-11i","mutt-0-92-9i","mutt-0-93-unstable","mutt-0-94-10i-rel","mutt-0-94-13-rel","mutt-0-94-14-rel","mutt-0-94-15-rel","mutt-0-94-16i-rel","mutt-0-94-17i-rel","mutt-0-94-18-rel","mutt-0-94-5i-rel","mutt-0-94-6i-rel","mutt-0-94-7i-rel","mutt-0-94-8i-rel","mutt-0-94-9i-p1","mutt-0-94-9i-rel","mutt-0-95-rel","mutt-0-96-1-rel","mutt-0-96-2-slightly-post-release","mutt-0-96-3-rel","mutt-0-96-4-rel","mutt-0-96-5-rel","mutt-0-96-6-rel","mutt-0-96-7-rel","mutt-0-96-8-rel","mutt-0-96-rel","mutt-1-1-1-1-rel","mutt-1-1-1-2-rel","mutt-1-1-1-rel","mutt-1-1-10-rel","mutt-1-1-11-rel","mutt-1-1-12-rel","mutt-1-1-13-rel","mutt-1-1-14-rel","mutt-1-1-2-rel","mutt-1-1-3-rel","mutt-1-1-4-rel","mutt-1-1-5-rel","mutt-1-1-6-rel","mutt-1-1-7-rel","mutt-1-1-8-rel","mutt-1-1-9-rel","mutt-1-1-rel","mutt-1-10-rel","mutt-1-11-rel","mutt-1-12-rel","mutt-1-13-rel","mutt-1-14-rel","mutt-1-3-1-rel","mutt-1-3-10-rel","mutt-1-3-11-rel","mutt-1-3-12-rel","mutt-1-3-13-rel","mutt-1-3-14-rel","mutt-1-3-15-rel","mutt-1-3-16-rel","mutt-1-3-17-rel","mutt-1-3-18-rel","mutt-1-3-19-rel","mutt-1-3-2-rel","mutt-1-3-20-rel","mutt-1-3-21-rel","mutt-1-3-22-1-rel","mutt-1-3-22-rel","mutt-1-3-23-1-rel","mutt-1-3-23-2-rel","mutt-1-3-23-rel","mutt-1-3-24-rel","mutt-1-3-25-rel","mutt-1-3-26-rel","mutt-1-3-27-rel","mutt-1-3-3-rel","mutt-1-3-4-rel","mutt-1-3-5-rel","mutt-1-3-6-rel","mutt-1-3-7-rel","mutt-1-3-8-rel","mutt-1-3-9-rel","mutt-1-3-rel","mutt-1-5-1-rel","mutt-1-5-15-rel","mutt-1-5-16-rel","mutt-1-5-17-rel","mutt-1-5-18-rel","mutt-1-5-19-rel","mutt-1-5-2-rel","mutt-1-5-20-rel","mutt-1-5-21-rel","mutt-1-5-22-rel","mutt-1-5-24-rel","mutt-1-5-3-rel","mutt-1-5-4-rel","mutt-1-5-5-1-rel","mutt-1-5-5-rel","mutt-1-5-6-rel","mutt-1-6-rel","mutt-1-7-rel","mutt-1-8-rel","mutt-1-9-rel","mutt-2-0-1-rel","mutt-2-0-2-rel","mutt-2-0-3-rel","mutt-2-0-4-rel","mutt-2-0-rel","post-type-punning-patch","pre-type-punning-patch"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3181.json"}},{"ranges":[{"type":"GIT","repo":"https://gitlab.com/muttmua/mutt","events":[{"introduced":"0"},{"fixed":"4a2becbdb4422aaffe3ce314991b9d670b7adf17"},{"fixed":"939b02b33ae29bc0d642570c1dcfd4b339037d19"},{"fixed":"d4305208955c5cdd9fe96dfa61e7c1e14e176a14"}],"database_specific":{"source":"REFERENCES"}}],"versions":["mutt-0-92-10i","mutt-0-92-11i","mutt-0-92-9i","mutt-0-93-unstable","mutt-0-94-10i-rel","mutt-0-94-13-rel","mutt-0-94-14-rel","mutt-0-94-15-rel","mutt-0-94-16i-rel","mutt-0-94-17i-rel","mutt-0-94-18-rel","mutt-0-94-5i-rel","mutt-0-94-6i-rel","mutt-0-94-7i-rel","mutt-0-94-8i-rel","mutt-0-94-9i-p1","mutt-0-94-9i-rel","mutt-0-95-rel","mutt-0-96-1-rel","mutt-0-96-2-slightly-post-release","mutt-0-96-3-rel","mutt-0-96-4-rel","mutt-0-96-5-rel","mutt-0-96-6-rel","mutt-0-96-7-rel","mutt-0-96-8-rel","mutt-0-96-rel","mutt-1-1-1-1-rel","mutt-1-1-1-2-rel","mutt-1-1-1-rel","mutt-1-1-10-rel","mutt-1-1-11-rel","mutt-1-1-12-rel","mutt-1-1-13-rel","mutt-1-1-14-rel","mutt-1-1-2-rel","mutt-1-1-3-rel","mutt-1-1-4-rel","mutt-1-1-5-rel","mutt-1-1-6-rel","mutt-1-1-7-rel","mutt-1-1-8-rel","mutt-1-1-9-rel","mutt-1-1-rel","mutt-1-10-rel","mutt-1-11-rel","mutt-1-12-rel","mutt-1-13-rel","mutt-1-14-rel","mutt-1-3-1-rel","mutt-1-3-10-rel","mutt-1-3-11-rel","mutt-1-3-12-rel","mutt-1-3-13-rel","mutt-1-3-14-rel","mutt-1-3-15-rel","mutt-1-3-16-rel","mutt-1-3-17-rel","mutt-1-3-18-rel","mutt-1-3-19-rel","mutt-1-3-2-rel","mutt-1-3-20-rel","mutt-1-3-21-rel","mutt-1-3-22-1-rel","mutt-1-3-22-rel","mutt-1-3-23-1-rel","mutt-1-3-23-2-rel","mutt-1-3-23-rel","mutt-1-3-24-rel","mutt-1-3-25-rel","mutt-1-3-26-rel","mutt-1-3-27-rel","mutt-1-3-3-rel","mutt-1-3-4-rel","mutt-1-3-5-rel","mutt-1-3-6-rel","mutt-1-3-7-rel","mutt-1-3-8-rel","mutt-1-3-9-rel","mutt-1-3-rel","mutt-1-5-1-rel","mutt-1-5-15-rel","mutt-1-5-16-rel","mutt-1-5-17-rel","mutt-1-5-18-rel","mutt-1-5-19-rel","mutt-1-5-2-rel","mutt-1-5-20-rel","mutt-1-5-21-rel","mutt-1-5-22-rel","mutt-1-5-24-rel","mutt-1-5-3-rel","mutt-1-5-4-rel","mutt-1-5-5-1-rel","mutt-1-5-5-rel","mutt-1-5-6-rel","mutt-1-6-rel","mutt-1-7-rel","mutt-1-8-rel","mutt-1-9-rel","mutt-2-0-1-rel","mutt-2-0-2-rel","mutt-2-0-3-rel","mutt-2-0-4-rel","mutt-2-0-rel","post-type-punning-patch","pre-type-punning-patch"],"database_specific":{"vanir_signatures":[{"source":"https://gitlab.com/muttmua/mutt@939b02b33ae29bc0d642570c1dcfd4b339037d19","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["119922534699700865141855793049624050921","332665935867995423402956330231494240991","113335306993783950353079467662358066062","56054890969183425964261008809715413083","15821560693194673009670366725139481041","147877264450199877172028045231315787752","264553291052471526685305788884150907624","155537299934522521569547473095866518833","77949292764677261573303057440465213463","6999739727252690263416602034441293005","144951443424373747271981120756631784773","322127592728552953921177602651402808684","260875731909127696761130908418911405081","180830938022783171785510199746013939504","24243105577259289922807719596320141540","62462404231016380828020626158156355570"]},"id":"CVE-2021-3181-434d395c","signature_type":"Line","deprecated":false,"target":{"file":"rfc822.c"}},{"source":"https://gitlab.com/muttmua/mutt@d4305208955c5cdd9fe96dfa61e7c1e14e176a14","signature_version":"v1","digest":{"length":3623,"function_hash":"50134787346260602477409367282502923963"},"id":"CVE-2021-3181-6da71b13","signature_type":"Function","deprecated":false,"target":{"function":"rfc822_parse_adrlist","file":"rfc822.c"}},{"source":"https://gitlab.com/muttmua/mutt@939b02b33ae29bc0d642570c1dcfd4b339037d19","signature_version":"v1","digest":{"length":3586,"function_hash":"126037132878735577070376896834556723105"},"id":"CVE-2021-3181-75e8e631","signature_type":"Function","deprecated":false,"target":{"function":"rfc822_parse_adrlist","file":"rfc822.c"}},{"source":"https://gitlab.com/muttmua/mutt@4a2becbdb4422aaffe3ce314991b9d670b7adf17","signature_version":"v1","digest":{"length":3590,"function_hash":"263707038947612484698445817127090691131"},"id":"CVE-2021-3181-86ac11dc","signature_type":"Function","deprecated":false,"target":{"function":"rfc822_parse_adrlist","file":"rfc822.c"}},{"source":"https://gitlab.com/muttmua/mutt@d4305208955c5cdd9fe96dfa61e7c1e14e176a14","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["77529526355923484295434302940801657974","125903562442061338608719905164678654360","85581796697069081872133627060725648695"]},"id":"CVE-2021-3181-a5deccbd","signature_type":"Line","deprecated":false,"target":{"file":"rfc822.c"}},{"source":"https://gitlab.com/muttmua/mutt@4a2becbdb4422aaffe3ce314991b9d670b7adf17","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["44064037161136642093186503649177487535","190402456001848709447198538528851128836","115329182337499589335103687504581291960","311493693951459938537062791570122325124","58539714682203662620009591366323991427","104096131218460858900122216256241288988","121882502105934751420308939305441686657","207321429528723917740934594736984658584"]},"id":"CVE-2021-3181-e691b2b7","signature_type":"Line","deprecated":false,"target":{"file":"rfc822.c"}}],"vanir_signatures_modified":"2026-05-13T10:41:30Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3181.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}