Search criteria

13 vulnerabilities found for postfix by postfix

CERTFR-2026-AVI-0793

Vulnerability from certfr_avis - Published: 2026-06-22 - Updated: 2026-06-22

De multiples vulnérabilités ont été découvertes dans Postfix. Elles permettent à un attaquant de provoquer un déni de service à distance et un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.11.x antérieures à 3.11.4
Postfix Postfix Postfix versions 3.10.x antérieures à 3.10.11
Postfix Postfix Postfix versions 3.9.x antérieures à 3.9.12
Postfix Postfix Postfix versions antérieures à 3.8.18
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.11.x ant\u00e9rieures \u00e0 3.11.4",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.10.x ant\u00e9rieures \u00e0 3.10.11",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.9.x ant\u00e9rieures \u00e0 3.9.12",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions ant\u00e9rieures \u00e0 3.8.18",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [],
  "initial_release_date": "2026-06-22T00:00:00",
  "last_revision_date": "2026-06-22T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0793",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-06-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Postfix. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Postfix",
  "vendor_advisories": [
    {
      "published_at": "2026-06-17",
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix postfix-3.11.4",
      "url": "http://www.postfix.org/announcements/postfix-3.11.4.html"
    }
  ]
}

CERTFR-2025-AVI-1040

Vulnerability from certfr_avis - Published: 2025-11-26 - Updated: 2025-11-26

Une vulnérabilité a été découverte dans Postfix. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.10.x antérieures à 3.10.6
Postfix Postfix Postfix versions antérieures à 3.7.18
Postfix Postfix Postfix versions 3.8.x antérieures à 3.8.13
Postfix Postfix Postfix versions 3.9.x antérieures à 3.9.7
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.10.x ant\u00e9rieures \u00e0 3.10.6",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions ant\u00e9rieures \u00e0 3.7.18",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.8.x ant\u00e9rieures \u00e0 3.8.13",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.9.x ant\u00e9rieures \u00e0 3.9.7",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [],
  "initial_release_date": "2025-11-26T00:00:00",
  "last_revision_date": "2025-11-26T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-1040",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-11-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Postfix. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et un d\u00e9ni de service.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Postfix",
  "vendor_advisories": [
    {
      "published_at": "2025-11-25",
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix postfix-3.10.6",
      "url": "http://www.postfix.org/announcements/postfix-3.10.6.html"
    }
  ]
}

CERTFR-2024-AVI-0058

Vulnerability from certfr_avis - Published: 2024-01-22 - Updated: 2024-01-22

Une vulnérabilité a été découverte dans Postfix. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

D'après l'éditeur, les versions 3.8.5, 3.7.10, 3.6.14 et 3.5.24 apportent un correctif à long terme contrairement aux versions 3.8.4, 3.7.9, 3.6.13 et 3.5.23 qui constituaient une mesure de contournement.

Impacted products
Vendor Product Description
Postfix Postfix Postfix versions antérieures à 3.8.5, 3.7.10, 3.6.14 et 3.5.24
References
Bulletin de sécurité Postfix 2023-12-18 vendor-advisory
Bulletin de sécurité Postfix 3.8.5 2024-01-22 vendor-advisory

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions ant\u00e9rieures \u00e0 3.8.5, 3.7.10, 3.6.14 et 3.5.24",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "D\u0027apr\u00e8s l\u0027\u00e9diteur, les versions 3.8.5, 3.7.10, 3.6.14 et 3.5.24 apportent un correctif \u00e0 long terme contrairement aux versions 3.8.4, 3.7.9, 3.6.13 et 3.5.23 qui constituaient une mesure de contournement.",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-51764",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-51764"
    }
  ],
  "initial_release_date": "2024-01-22T00:00:00",
  "last_revision_date": "2024-01-22T00:00:00",
  "links": [],
  "reference": "CERTFR-2024-AVI-0058",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-01-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Postfix. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Postfix",
  "vendor_advisories": [
    {
      "published_at": "2023-12-18",
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix",
      "url": "https://www.postfix.org/smtp-smuggling.html"
    },
    {
      "published_at": "2024-01-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.8.5",
      "url": "https://www.postfix.org/announcements/postfix-3.8.5.html"
    }
  ]
}

CERTFR-2023-AVI-1057

Vulnerability from certfr_avis - Published: 2023-12-22 - Updated: 2023-12-26

De multiples vulnérabilités ont été corrigées dans Postfix. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions antérieures à 3.8.4, 3.7.9, 3.6.13 et 3.5.23

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions ant\u00e9rieures \u00e0 3.8.4, 3.7.9, 3.6.13 et 3.5.23",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2023-12-22T00:00:00",
  "last_revision_date": "2023-12-26T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.8.4 du 22 d\u00e9cembre 2022",
      "url": "https://www.postfix.org/announcements/postfix-3.8.4.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.6.13 du 22 d\u00e9cembre 2022",
      "url": "https://www.postfix.org/announcements/postfix-3.6.13.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.7.9 du 22 d\u00e9cembre 2022",
      "url": "https://www.postfix.org/announcements/postfix-3.7.9.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.5.23 du 22 d\u00e9cembre 2022",
      "url": "https://www.postfix.org/announcements/postfix-3.5.23.html"
    }
  ],
  "reference": "CERTFR-2023-AVI-1057",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-22T00:00:00.000000"
    },
    {
      "description": "Ajout des bulletins de s\u00e9curit\u00e9 Postfix du 22 d\u00e9cembre 2023.",
      "revision_date": "2023-12-26T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans Postfix. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.6.13 du 22 d\u00e9cembre 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.7.9 du 22 d\u00e9cembre 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix du 20 d\u00e9cembre 2023",
      "url": "https://www.postfix.org/smtp-smuggling.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.8.4 du 22 d\u00e9cembre 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.5.23 du 22 d\u00e9cembre 2023",
      "url": null
    }
  ]
}

CERTFR-2023-AVI-0437

Vulnerability from certfr_avis - Published: 2023-06-07 - Updated: 2023-06-07

De multiples vulnérabilités ont été découvertes dans Postfix. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.5.x antérieures à 3.5.20
Postfix Postfix Postfix versions 3.8.x antérieures à 3.8.1
Postfix Postfix Postfix versions 3.6.x antérieures à 3.6.10
Postfix Postfix Postfix versions 3.7.x antérieures à 3.7.6
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.5.x ant\u00e9rieures \u00e0 3.5.20",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.8.x ant\u00e9rieures \u00e0 3.8.1",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.6.x ant\u00e9rieures \u00e0 3.6.10",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.7.x ant\u00e9rieures \u00e0 3.7.6",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2023-06-07T00:00:00",
  "last_revision_date": "2023-06-07T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix du 05 juin 2023",
      "url": "http://www.postfix.org/announcements/postfix-3.8.1.html"
    }
  ],
  "reference": "CERTFR-2023-AVI-0437",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-06-07T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Postfix. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.8.1 du 05 juin 2023",
      "url": null
    }
  ]
}

CERTFR-2023-AVI-0328

Vulnerability from certfr_avis - Published: 2023-04-20 - Updated: 2023-04-20

De multiples vulnérabilités ont été découvertes dans Postfix. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et un déni de service.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.4.x antérieures à 3.4.29
Postfix Postfix Postfix versions 3.5.x antérieures à 3.5.19
Postfix Postfix Postfix versions 3.7.x antérieures à 3.7.5
Postfix Postfix Postfix versions antérieures à 3.8.0
Postfix Postfix Postfix versions 3.6.x antérieures à 3.6.9

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.4.x ant\u00e9rieures \u00e0 3.4.29",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.5.x ant\u00e9rieures \u00e0 3.5.19",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.7.x ant\u00e9rieures \u00e0 3.7.5",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions ant\u00e9rieures \u00e0 3.8.0",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.6.x ant\u00e9rieures \u00e0 3.6.9",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2023-04-20T00:00:00",
  "last_revision_date": "2023-04-20T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix du 18 avril 2023",
      "url": "http://www.postfix.org/announcements/postfix-3.7.5.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix du 18 avril 2023",
      "url": "http://www.postfix.org/announcements/postfix-3.8.0.html"
    }
  ],
  "reference": "CERTFR-2023-AVI-0328",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-04-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Postfix. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et un d\u00e9ni de service.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.7.5 du 18 avril 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.8.0 du 18 avril 2023",
      "url": null
    }
  ]
}

CERTFR-2022-AVI-358

Vulnerability from certfr_avis - Published: 2022-04-19 - Updated: 2022-04-19

De multiples vulnérabilités ont été découvertes dans Postfix. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.5.x antérieures à 3.5.16
Postfix Postfix Postfix versions 3.6.x antérieures à 3.6.6
Postfix Postfix Postfix versions 3.7.x antérieures à 3.7.1
Postfix Postfix Postfix versions 3.4.x antérieures à 3.4.26
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.5.x ant\u00e9rieures \u00e0 3.5.16",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.6.x ant\u00e9rieures \u00e0 3.6.6",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.7.x ant\u00e9rieures \u00e0 3.7.1",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.4.x ant\u00e9rieures \u00e0 3.4.26",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2022-04-19T00:00:00",
  "last_revision_date": "2022-04-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-358",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-04-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Postfix. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9 et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.7.1 du 18 avril 2022",
      "url": "https://www.postfix.org/announcements/postfix-3.7.1.html"
    }
  ]
}

CERTFR-2022-AVI-117

Vulnerability from certfr_avis - Published: 2022-02-07 - Updated: 2022-02-07

De multiples vulnérabilités ont été découvertes dans Postfix. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à l'intégrité des données et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.4.x antérieures à 3.4.25
Postfix Postfix Postfix versions 3.6.x antérieures à 3.6.5 ou 3.7.0
Postfix Postfix Postfix versions 3.3.x antérieures à 3.3.22
Postfix Postfix Postfix versions 3.5.x antérieures à 3.5.15
References
Bulletin de sécurité Postfix 3.7.0 2022-02-05 vendor-advisory
Bulletin de sécurité Postfix 3.6.5 2022-02-05 vendor-advisory

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.4.x ant\u00e9rieures \u00e0 3.4.25",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.6.x ant\u00e9rieures \u00e0 3.6.5 ou 3.7.0",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.3.x ant\u00e9rieures \u00e0 3.3.22",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.5.x ant\u00e9rieures \u00e0 3.5.15",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2022-02-07T00:00:00",
  "last_revision_date": "2022-02-07T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-117",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-02-07T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Postfix. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une \u00e9l\u00e9vation de\nprivil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Postfix",
  "vendor_advisories": [
    {
      "published_at": "2022-02-05",
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.7.0",
      "url": "https://www.postfix.org/announcements/postfix-3.7.0.html"
    },
    {
      "published_at": "2022-02-05",
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.6.5",
      "url": "https://www.postfix.org/announcements/postfix-3.6.5.html"
    }
  ]
}

CERTFR-2022-AVI-045

Vulnerability from certfr_avis - Published: 2022-01-17 - Updated: 2022-01-17

De multiples vulnérabilités ont été découvertes dans Postfix. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.3.x antérieures à 3.3.21
Postfix Postfix Postfix versions 3.4.x antérieures à 3.4.24
Postfix Postfix Postfix versions 3.6.x antérieures à 3.6.4
Postfix Postfix Postfix versions 3.5.x antérieures à 3.5.14
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.3.x ant\u00e9rieures \u00e0 3.3.21",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.4.x ant\u00e9rieures \u00e0 3.4.24",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.6.x ant\u00e9rieures \u00e0 3.6.4",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.5.x ant\u00e9rieures \u00e0 3.5.14",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2022-01-17T00:00:00",
  "last_revision_date": "2022-01-17T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-045",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-01-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Postfix. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix du 16 janvier 2022",
      "url": "http://www.postfix.org/announcements/postfix-3.6.4.html"
    }
  ]
}

CERTFR-2021-AVI-851

Vulnerability from certfr_avis - Published: 2021-11-09 - Updated: 2021-11-09

Une vulnérabilité a été découverte dans Postfix. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions antérieures à 3.6.3, 3.5.13, 3.4.23, 3.3.20
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions ant\u00e9rieures \u00e0 3.6.3, 3.5.13, 3.4.23, 3.3.20",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2021-11-09T00:00:00",
  "last_revision_date": "2021-11-09T00:00:00",
  "links": [],
  "reference": "CERTFR-2021-AVI-851",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-11-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Postfix. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix 3.6.3 du 9 novembre 2021",
      "url": "http://www.postfix.org/announcements/postfix-3.6.3.html"
    }
  ]
}

CERTFR-2019-AVI-456

Vulnerability from certfr_avis - Published: 2019-09-23 - Updated: 2019-09-23

De multiples vulnérabilités ont été découvertes dans Postfix. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 3.1.x antérieures à 3.1.14
Postfix Postfix Postfix versions 3.2.x antérieures à 3.2.11
Postfix Postfix Postfix versions 3.4.x antérieures à 3.4.7
Postfix Postfix Postfix versions 3.3.x antérieures à 3.3.6
References

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 3.1.x ant\u00e9rieures \u00e0 3.1.14",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.2.x ant\u00e9rieures \u00e0 3.2.11",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.4.x ant\u00e9rieures \u00e0 3.4.7",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 3.3.x ant\u00e9rieures \u00e0 3.3.6",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2019-09-23T00:00:00",
  "last_revision_date": "2019-09-23T00:00:00",
  "links": [],
  "reference": "CERTFR-2019-AVI-456",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-09-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Postfix. Elles\npermettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non\nsp\u00e9cifi\u00e9 par l\u0027\u00e9diteur et un d\u00e9ni de service \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Postfix du 22 septembre 2019",
      "url": "http://www.postfix.org/announcements/postfix-3.4.7.html"
    }
  ]
}

CERTA-2011-AVI-146

Vulnerability from certfr_avis - Published: 2011-03-10 - Updated: 2011-03-10

Une vulnérabilité dans la gestion du protocole TLS permet à un attaquant d'insérer des commandes dans les communications SMTP d'une victime.

Description

Il est possible à un attaquant en position d'interception (man in the middle) d'insérer des commandes SMTP lorsqu'un client souhaite utiliser une connexion sécurisée au moyen de la commande STARTTLS, qui est un message transmis en clair. Ces commandes sont alors interprétées par le serveur dans le contexte d'une connexion sécurisée.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Postfix Postfix Postfix versions 2.5.x strictement inférieures à 2.5.12 ;
Postfix Postfix Postfix versions 2.6.x strictement inférieures à 2.6.9 ;
Postfix Postfix Postfix versions 2.7.x strictement inférieures à 2.7.3 ;
Postfix Postfix Postfix versions 2.4.x strictement inférieures à 2.4.16.

Show details on source website

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Postfix versions 2.5.x strictement inf\u00e9rieures \u00e0 2.5.12 ;",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 2.6.x strictement inf\u00e9rieures \u00e0 2.6.9 ;",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 2.7.x strictement inf\u00e9rieures \u00e0 2.7.3 ;",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    },
    {
      "description": "Postfix versions 2.4.x strictement inf\u00e9rieures \u00e0 2.4.16.",
      "product": {
        "name": "Postfix",
        "vendor": {
          "name": "Postfix",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nIl est possible \u00e0 un attaquant en position d\u0027interception (man in the\nmiddle) d\u0027ins\u00e9rer des commandes SMTP lorsqu\u0027un client souhaite utiliser\nune connexion s\u00e9curis\u00e9e au moyen de la commande STARTTLS, qui est un\nmessage transmis en clair. Ces commandes sont alors interpr\u00e9t\u00e9es par le\nserveur dans le contexte d\u0027une connexion s\u00e9curis\u00e9e.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-0411",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-0411"
    }
  ],
  "initial_release_date": "2011-03-10T00:00:00",
  "last_revision_date": "2011-03-10T00:00:00",
  "links": [
    {
      "title": "Description d\u00e9taill\u00e9e de la vuln\u00e9rabilit\u00e9 CVE-2011-0411 :",
      "url": "http://www.postfix.org/CVE-2011-0411.html"
    }
  ],
  "reference": "CERTA-2011-AVI-146",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-03-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans la gestion du protocole TLS permet \u00e0 un attaquant\nd\u0027ins\u00e9rer des commandes dans les communications SMTP d\u0027une victime.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Postfix",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de mise \u00e0 jour Postfix du 7 mars 2011",
      "url": "http://www.postfix.org/announcements/postfix-2.7.3.html"
    }
  ]
}

CVE-2026-43964 (GCVE-0-2026-43964)

Vulnerability from cvelistv5 – Published: 2026-05-04 18:10 – Updated: 2026-06-30 12:08
VLAI?
Summary
Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
CWE
Assigner
Impacted products
Vendor Product Version
Postfix Postfix Affected: 2.3 , < 3.8.16 (custom)
Affected: 3.9 , < 3.9.10 (custom)
Affected: 3.10 , < 3.10.9 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43964",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-04T19:49:30.949584Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-04T19:49:41.165Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-04T22:21:13.917Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/30"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-04T18:10:10.509Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Postfix. This issue occurs when processing enhanced status codes, specifically an enhanced status code that lacks text following the third number. Depending on the configuration of the server, this allows a remote attacker to cause a buffer over-read of only 1 byte, leading to an application crash and resulting in a denial of service."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-193",
                "description": "Off-by-one Error",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:08:31.428Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-43964"
          },
          {
            "name": "RHBZ#2466488",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466488"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43964.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25930"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25932"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26205"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:25930: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25932: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux BaseOS (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26205: Red Hat Enterprise Linux AppStream (v. 9)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-04T19:01:26.972Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-04T18:10:10.509Z",
            "value": "Made public."
          }
        ],
        "title": "postfix: buffer over-read via malformed enhanced status code",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate this vulnerability, review and adjust the following Postfix configurations:\n\n- DNSBL: Remove the $rbl_text variable from the rbl_reply_maps and default_rbl_reply settings to prevent triggers via malicious DNSBL TXT responses.\n- Policy Servers and Milters: Ensure any connected policy daemons or milters return fully RFC-compliant enhanced status codes. They must not return codes that lack text after the third digit (e.g., they should return 5.7.1 Rejected rather than just 5.7.1).\n- Access Tables and Content Checks: Audit custom access tables, header_checks, body_checks, and transport_maps (specifically error transports) to confirm that any manually defined rejection messages or status codes include descriptive text following the numeric code."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Postfix",
          "vendor": "Postfix",
          "versions": [
            {
              "lessThan": "3.8.16",
              "status": "affected",
              "version": "2.3",
              "versionType": "custom"
            },
            {
              "lessThan": "3.9.10",
              "status": "affected",
              "version": "3.9",
              "versionType": "custom"
            },
            {
              "lessThan": "3.10.9",
              "status": "affected",
              "version": "3.10",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.8.16",
                  "versionStartIncluding": "2.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.9.10",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:postfix:postfix:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.10.9",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-193",
              "description": "CWE-193 Off-by-one Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T18:28:07.825Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-43964",
    "datePublished": "2026-05-04T18:10:10.509Z",
    "dateReserved": "2026-05-04T18:10:10.120Z",
    "dateUpdated": "2026-06-30T12:08:31.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}