CVE-2026-43964

NameCVE-2026-43964
DescriptionPostfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1135718

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postfix (PTS)bullseye3.5.25-0+deb11u1vulnerable
bookworm3.7.11-0+deb12u1vulnerable
trixie3.10.5-1~deb13u1vulnerable
forky3.11.0-4vulnerable
sid3.11.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postfixsource(unstable)3.11.2-11135718

Notes

https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html
https://www.openwall.com/lists/oss-security/2026/05/04/25
Search for package or bug name: Reporting problems