CVE-2004-0078

Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.

Published: 2004-03-03 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2004-0078 is rated Moderate Risk (61.8/100): CVSS High severity, with high exploitation likelihood (EPSS 5.43%, 92th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2004-0078

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 5.66% 5.43% -0.23%
2 2025-03-30 5.49% 5.66% +0.17%
3 2025-03-29 5.49%

Full EPSS history (8 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2004-0078

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 6.4 [email protected]

Weakness enumeration for CVE-2004-0078

OS Trackers for CVE-2004-0078

vendor priority summary link
debian not yet assigned CVE-2004-0078 not yet assigned priority: Debian including 1 source packages (mutt), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2004-0078
redhat high https://access.redhat.com/security/cve/CVE-2004-0078

Affected software / configurations for CVE-2004-0078

Vendor Product Version Raw CPE
mutt mutt 1.2.1 cpe:2.3:a:mutt:mutt:1.2.1:*:*:*:*:*:*:*
mutt mutt 1.2.5 cpe:2.3:a:mutt:mutt:1.2.5:*:*:*:*:*:*:*
mutt mutt 1.2.5.1 cpe:2.3:a:mutt:mutt:1.2.5.1:*:*:*:*:*:*:*
mutt mutt 1.2.5.4 cpe:2.3:a:mutt:mutt:1.2.5.4:*:*:*:*:*:*:*
mutt mutt 1.2.5.5 cpe:2.3:a:mutt:mutt:1.2.5.5:*:*:*:*:*:*:*
mutt mutt 1.2.5.12 cpe:2.3:a:mutt:mutt:1.2.5.12:*:*:*:*:*:*:*
mutt mutt 1.2.5.12_ol cpe:2.3:a:mutt:mutt:1.2.5.12_ol:*:*:*:*:*:*:*
mutt mutt 1.3.12 cpe:2.3:a:mutt:mutt:1.3.12:*:*:*:*:*:*:*
mutt mutt 1.3.12.1 cpe:2.3:a:mutt:mutt:1.3.12.1:*:*:*:*:*:*:*
mutt mutt 1.3.16 cpe:2.3:a:mutt:mutt:1.3.16:*:*:*:*:*:*:*
mutt mutt 1.3.17 cpe:2.3:a:mutt:mutt:1.3.17:*:*:*:*:*:*:*
mutt mutt 1.3.22 cpe:2.3:a:mutt:mutt:1.3.22:*:*:*:*:*:*:*
mutt mutt 1.3.24 cpe:2.3:a:mutt:mutt:1.3.24:*:*:*:*:*:*:*
mutt mutt 1.3.25 cpe:2.3:a:mutt:mutt:1.3.25:*:*:*:*:*:*:*
mutt mutt 1.3.27 cpe:2.3:a:mutt:mutt:1.3.27:*:*:*:*:*:*:*
mutt mutt 1.3.28 cpe:2.3:a:mutt:mutt:1.3.28:*:*:*:*:*:*:*
mutt mutt 1.4.0 cpe:2.3:a:mutt:mutt:1.4.0:*:*:*:*:*:*:*
mutt mutt 1.4.1 cpe:2.3:a:mutt:mutt:1.4.1:*:*:*:*:*:*:*

References for CVE-2004-0078

URL Tags
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2004-013.0.txt
http://bugs.debian.org/126336
http://marc.info/?l=bugtraq&m=107651677817933&w=2
http://marc.info/?l=bugtraq&m=107696262905039&w=2
http://marc.info/?l=bugtraq&m=107884956930903&w=2
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:010
http://www.osvdb.org/3918
http://www.redhat.com/support/errata/RHSA-2004-050.html Patch Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2004-051.html Patch Vendor Advisory
http://www.securityfocus.com/bid/9641 Patch Vendor Advisory
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.405053
https://exchange.xforce.ibmcloud.com/vulnerabilities/15134
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A811
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A838
cvelogic Threat Intelligence