https://blog.kalfaoglu.net/tags/postfix/Recent content in Postfix on kalfaoglu.netHugoenThu, 07 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-07-postfix-3112-cve-2026-43964-en/Thu, 07 May 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-05-07-postfix-3112-cve-2026-43964-en/<p>On May 4, 2026, Wietse Venema released Postfix 3.11.2, 3.10.9, 3.9.10, and 3.8.16. If you run a mail server, this is the update you actually want to read — not because the CVSS score is alarming (it isn&rsquo;t), but because one of the bugs patched in this release has been sitting in the codebase since 2005.</p> <h2 id="the-cve-worth-knowing-about">The CVE Worth Knowing About</h2> <p><a href="https://cve.threatint.eu/CVE/CVE-2026-43964">CVE-2026-43964</a> is an off-by-one error in how Postfix handles enhanced status codes. If an SMTP access table, policy server, DNSBL response, or milter returns a bare status code — something like <code>5.7.2</code> without any text following it — the daemon reads past the end of the allocated buffer. The result is a process crash.</p>