On May 4, 2026, Wietse Venema released Postfix 3.11.2, 3.10.9, 3.9.10, and 3.8.16. If you run a mail server, this is the update you actually want to read — not because the CVSS score is alarming (it isn’t), but because one of the bugs patched in this release has been sitting in the codebase since 2005.
The CVE Worth Knowing About
CVE-2026-43964 is an off-by-one error in how Postfix handles enhanced status codes. If an SMTP access table, policy server, DNSBL response, or milter returns a bare status code — something like 5.7.2 without any text following it — the daemon reads past the end of the allocated buffer. The result is a process crash.
CVSS puts this at 3.7 (Low), and that’s technically correct: the attack requires network access and high complexity, and the impact is limited to availability. In plain terms: if the crash hits the right process at the wrong time, your mail queue stops processing until someone restarts Postfix. For a hosting environment where customers expect email to just work, that’s not a score to shrug at.
The bug was first introduced in Postfix 2.3, released in March 2005. It persisted through every subsequent release. The fix is a single-line change in dsn_util.c.
All actively maintained branches received the patch: 3.8.16, 3.9.10, 3.10.9, and 3.11.2.
What Else Changed
The release also fixes a handful of other issues. In the 3.11 branch: the proxymap daemon dereferenced an uninitialized pointer after a request protocol error (not directly exposed to remote users, but still worth closing). In the 3.10 branch: the RFC 2047 encoder for sender display names could enter an infinite loop when a very long full_name_encoding_charset value was configured in main.cf.
There is also a detail in these release notes that is easy to miss: several of the bugs are attributed to “Claude Opus 4.6” as discoverer — a file descriptor leak after fork() failure, unchecked null pointer results under out-of-memory conditions, integer overflow guard gaps, and logging errors across multiple source files. AI-assisted code auditing has been discussed for years; here it shows up quietly in a production release note, doing the tedious static analysis work that human reviewers routinely walk past.
What This Means for kalfaoglu.net Customers
If your hosting plan with us includes email services, the mail transport infrastructure is maintained and patched on your behalf. This Postfix release is on our radar and will be deployed during the next patching window.
If you manage your own VPS or dedicated server, check your installed version first:
postconf mail_version
Then cross-reference against the patched versions below. If you’re behind, update. Most major distributions should have packages available within days of a release. If your distro is lagging, the source is available at postfix.org and the build process is straightforward.
The DNSBL path is particularly worth noting: if you use rbl_reply_maps or rely on the default $rbl_code $rbl_text template for reject messages, you are squarely in the trigger path for CVE-2026-43964.
Patched Version Reference
| Branch | Patched version |
|---|---|
| 3.11 | 3.11.2 |
| 3.10 | 3.10.9 |
| 3.9 | 3.9.10 |
| 3.8 | 3.8.16 |
| < 3.8 | Standalone backport patch in release announcement |
If your Postfix predates the 3.8 branch — it happens — Venema included a standalone backport patch at the end of the release announcement.