{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-43964", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-05-04T18:10:10.120Z", "datePublished": "2026-05-04T18:10:10.509Z", "dateUpdated": "2026-05-04T22:21:13.917Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Postfix", "vendor": "Postfix", "versions": [{"lessThan": "3.8.16", "status": "affected", "version": "2.3", "versionType": "custom"}, {"lessThan": "3.9.10", "status": "affected", "version": "3.9", "versionType": "custom"}, {"lessThan": "3.10.9", "status": "affected", "version": "3.10", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-193", "description": "CWE-193 Off-by-one Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-04T18:28:07.825Z"}, "references": [{"url": "https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.3", "versionEndExcluding": "3.8.16"}, {"vulnerable": true, "criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "3.9.10"}, {"vulnerable": true, "criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10", "versionEndExcluding": "3.10.9"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-04T19:49:30.949584Z", "id": "CVE-2026-43964", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T19:49:41.165Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/04/30"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-04T22:21:13.917Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/04/30"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-04T22:21:13.917Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-43964", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-04T19:49:30.949584Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T19:49:36.675Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Postfix", "product": "Postfix", "versions": [{"status": "affected", "version": "2.3", "lessThan": "3.8.16", "versionType": "custom"}, {"status": "affected", "version": "3.9", "lessThan": "3.9.10", "versionType": "custom"}, {"status": "affected", "version": "3.10", "lessThan": "3.10.9", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193 Off-by-one Error"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.8.16", "versionStartIncluding": "2.3"}, {"criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.9.10", "versionStartIncluding": "3.9"}, {"criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.10.9", "versionStartIncluding": "3.10"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-04T18:28:07.825Z"}}}, "cveMetadata": {"cveId": "CVE-2026-43964", "state": "PUBLISHED", "dateUpdated": "2026-05-04T22:21:13.917Z", "dateReserved": "2026-05-04T18:10:10.120Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-05-04T18:10:10.509Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "matchCriteriaId": "439B2155-5F30-42FD-B57A-32B7AC32E2A1", "versionEndExcluding": "3.8.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AE4398A-5217-408E-BF9B-D3A9ACC0E6C6", "versionEndExcluding": "3.9.10", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A9CB1E4-A91E-4EC9-9E4E-7F41679EEF13", "versionEndExcluding": "3.10.9", "versionStartIncluding": "3.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number."}], "id": "CVE-2026-43964", "lastModified": "2026-05-11T21:17:31.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-05-04T19:16:07.143", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/05/04/30"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "postfix: buffer over-read via malformed enhanced status code", "id": "2466488", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466488"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-193", "details": ["A flaw was found in Postfix. This issue occurs when processing enhanced status codes, specifically an enhanced status code that lacks text following the third number. Depending on the configuration of the server, this allows a remote attacker to cause a buffer over-read of only 1 byte, leading to an application crash and resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, review and adjust the following Postfix configurations:\n- DNSBL: Remove the $rbl_text variable from the rbl_reply_maps and default_rbl_reply settings to prevent triggers via malicious DNSBL TXT responses.\n- Policy Servers and Milters: Ensure any connected policy daemons or milters return fully RFC-compliant enhanced status codes. They must not return codes that lack text after the third digit (e.g., they should return 5.7.1 Rejected rather than just 5.7.1).\n- Access Tables and Content Checks: Audit custom access tables, header_checks, body_checks, and transport_maps (specifically error transports) to confirm that any manually defined rejection messages or status codes include descriptive text following the numeric code."}, "name": "CVE-2026-43964", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postfix", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-04T18:10:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43964\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43964\nhttps://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html"], "statement": "This vulnerability cannot be triggered with an SMTP or LMTP server response. Instead, it is exposed only under specific server configurations:\n- Access tables\n- Policy server responses\n- Pipe-to-command output, header_checks, body_checks, an error transport in transport_maps, or a milter response\n- DNSBL server TXT responses (specifically when Postfix is configured with \"$rbl_code $rbl_text\" in rbl_reply_maps or default_rbl_reply)\nAs this flaw allows a remote attacker to cause a denial of service, it has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.3,3.8.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.9,3.9.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.10,3.10.9)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Postfix", "source": "cna", "vendor": "Postfix"}, "product": "postfix", "vendor": "postfix"}], "created": "2026-05-04T21:30:09.056251+00:00", "title": "Postfix Enhanced Status Code Buffer Over-read Crash", "updated": "2026-05-04T23:30:10.778464+00:00", "vendors": ["postfix", "postfix$PRODUCT$postfix"]}