CVE-2008-5514 [Medium] | Memory Corruption in Imap

Off-by-one error in the rfc822_output_char function in the RFC822BUFFER routines in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit before imap-2007e and other applications, allows context-dependent attackers to cause a denial of service (crash) via an e-mail message that triggers a buffer overflow.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.81%	1.76%	+0.95%
2	2026-02-12	1.07%	0.81%	-0.26%
3	2025-03-30	—	1.07%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.81%

1.76%

+0.95%

2026-02-12

1.07%

0.81%

-0.26%

2025-03-30

—

1.07%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

2.9

[email protected]

OS Trackers for CVE-2008-5514

vendor	priority	summary	link
`debian`	medium	CVE-2008-5514 medium priority: Debian including 2 source packages (alpine, uw-imap), 7 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 7.	https://security-tracker.debian.org/tracker/CVE-2008-5514
`gentoo`	high	CVE-2008-5514: 2 GLSA(s) (200911-03, 201001-03), 3 atom(s) (dev-lang/php, net-libs/c-client, net-mail/uw-imap); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-5514
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2008-5514
`ubuntu`	medium	CVE-2008-5514 medium priority: Ubuntu including 1 source packages (uw-imap), 11 status rows across 11 suites (dapper, gutsy, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): not-affected 6, ignored 4, released 1.	https://ubuntu.com/security/CVE-2008-5514

Vendor comments (NVD) for CVE-2008-5514

Red Hat (2009-01-12T00:00:00)

Not vulnerable. This issue did not affect the versions of imap as shipped with Red Hat Enterprise Linux 2.1 and 3, and the versions of libc-client as shipped with Red Hat Enterprise Linux 4 and 5.

Affected software / configurations for CVE-2008-5514

Vendor	Product	Version	Raw CPE
university_of_washington	imap	<= 2007d	cpe:2.3:a:university_of_washington:imap::::::::
university_of_washington	imap	2000	cpe:2.3:a:university_of_washington:imap:2000:::::::*
university_of_washington	imap	2000a	cpe:2.3:a:university_of_washington:imap:2000a:::::::*
university_of_washington	imap	2000b	cpe:2.3:a:university_of_washington:imap:2000b:::::::*
university_of_washington	imap	2000c	cpe:2.3:a:university_of_washington:imap:2000c:::::::*
university_of_washington	imap	2001	cpe:2.3:a:university_of_washington:imap:2001:::::::*
university_of_washington	imap	2001a	cpe:2.3:a:university_of_washington:imap:2001a:::::::*
university_of_washington	imap	2002	cpe:2.3:a:university_of_washington:imap:2002:::::::*
university_of_washington	imap	2002a	cpe:2.3:a:university_of_washington:imap:2002a:::::::*
university_of_washington	imap	2002b	cpe:2.3:a:university_of_washington:imap:2002b:::::::*
university_of_washington	imap	2002c	cpe:2.3:a:university_of_washington:imap:2002c:::::::*
university_of_washington	imap	2002d	cpe:2.3:a:university_of_washington:imap:2002d:::::::*
university_of_washington	imap	2002e	cpe:2.3:a:university_of_washington:imap:2002e:::::::*
university_of_washington	imap	2002f	cpe:2.3:a:university_of_washington:imap:2002f:::::::*
university_of_washington	imap	2004	cpe:2.3:a:university_of_washington:imap:2004:::::::*
university_of_washington	imap	2004a	cpe:2.3:a:university_of_washington:imap:2004a:::::::*
university_of_washington	imap	2004b	cpe:2.3:a:university_of_washington:imap:2004b:::::::*
university_of_washington	imap	2004c	cpe:2.3:a:university_of_washington:imap:2004c:::::::*
university_of_washington	imap	2004d	cpe:2.3:a:university_of_washington:imap:2004d:::::::*
university_of_washington	imap	2004e	cpe:2.3:a:university_of_washington:imap:2004e:::::::*
university_of_washington	imap	2004f	cpe:2.3:a:university_of_washington:imap:2004f:::::::*
university_of_washington	imap	2004g	cpe:2.3:a:university_of_washington:imap:2004g:::::::*
university_of_washington	imap	2006	cpe:2.3:a:university_of_washington:imap:2006:::::::*
university_of_washington	imap	2006a	cpe:2.3:a:university_of_washington:imap:2006a:::::::*
university_of_washington	imap	2006b	cpe:2.3:a:university_of_washington:imap:2006b:::::::*
university_of_washington	imap	2006c	cpe:2.3:a:university_of_washington:imap:2006c:::::::*
university_of_washington	imap	2006d	cpe:2.3:a:university_of_washington:imap:2006d:::::::*
university_of_washington	imap	2006e	cpe:2.3:a:university_of_washington:imap:2006e:::::::*
university_of_washington	imap	2006f	cpe:2.3:a:university_of_washington:imap:2006f:::::::*
university_of_washington	imap	2006g	cpe:2.3:a:university_of_washington:imap:2006g:::::::*
university_of_washington	imap	2006h	cpe:2.3:a:university_of_washington:imap:2006h:::::::*
university_of_washington	imap	2006i	cpe:2.3:a:university_of_washington:imap:2006i:::::::*
university_of_washington	imap	2006j	cpe:2.3:a:university_of_washington:imap:2006j:::::::*
university_of_washington	imap	2006k	cpe:2.3:a:university_of_washington:imap:2006k:::::::*
university_of_washington	imap	2007	cpe:2.3:a:university_of_washington:imap:2007:::::::*
university_of_washington	imap	2007a	cpe:2.3:a:university_of_washington:imap:2007a:::::::*
university_of_washington	imap	2007b	cpe:2.3:a:university_of_washington:imap:2007b:::::::*

References for CVE-2008-5514

URL	Tags
http://secunia.com/advisories/33275
http://secunia.com/advisories/33638
http://securitytracker.com/id?1021485
http://www.mandriva.com/security/advisories?name=MDVSA-2009:146
http://www.securityfocus.com/bid/32958
http://www.vupen.com/english/advisories/2008/3490
http://www.washington.edu/imap/documentation/RELNOTES.html
https://bugzilla.redhat.com/show_bug.cgi?id=477227
https://exchange.xforce.ibmcloud.com/vulnerabilities/47526
https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00846.html

URL

CVE-2008-5514

Exploit prediction scoring system (EPSS) score for CVE-2008-5514

Common vulnerability scoring system (CVSS) metrics for CVE-2008-5514

Weakness enumeration for CVE-2008-5514

OS Trackers for CVE-2008-5514

Vendor comments (NVD) for CVE-2008-5514

Affected software / configurations for CVE-2008-5514

References for CVE-2008-5514