CVE-2026-47088
Summary
| CVE | CVE-2026-47088 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-16 19:16:49 UTC |
| Updated | 2026-07-16 19:16:49 UTC |
| Description | An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is heap exposure in nested MIME comment parsing. An authenticated IMAP user could craft an email message containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the message's end in memory, and read into the heap, returning the read content to the user. |
Risk And Classification
Primary CVSS: v3.1 3.1 LOW from [email protected]
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Problem Types: CWE-126 | CWE-126 CWE-126 Buffer Over-read
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 3.1 | LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | CNA | CVSS | 3.1 | LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Cyrusimap | Cyrus IMAP | affected 3.12.3 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.cyrusimap.org/3.12/imap/download/release-notes/3.12/x/3.12.3.html | [email protected] | www.cyrusimap.org | |
| www.cyrusimap.org/imap/download/release-notes/index.html | [email protected] | www.cyrusimap.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.