qmail has been hit by multiple remote code execution issues spanning legacy and actively maintained codebases. Qualys reported that CVE-2005-1513, long believed unexploitable in default installations, can be triggered remotely through qmail-local on Debian’s default qmail package by sending a nearly 4 GB mail header that causes an integer overflow in stralloc_readyplus, leading to a large buffer overflow and arbitrary command execution as any non-root local user. The same research also identified CVE-2020-3811, a recipient verification bypass in the bundled qmail-verify component, and CVE-2020-3812, a local information disclosure issue tied to privileged file existence checks.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A pull request addressing remote code execution via shell injection in qmail-remote's TLS error handler was merged into the main branch. The visible content indicates the merge occurred on April 7, 2026.
In the same advisory, Qualys said it published a patch for Debian's qmail package and noted that notqmail developers had also produced fixes for the legacy qmail issues. The advisory additionally recommended mitigations such as low memory limits and message size restrictions.
Qualys reported that three qmail vulnerabilities originally disclosed in 2005 remained unfixed and that CVE-2005-1513 was remotely exploitable in a default Debian qmail installation via qmail-local. The advisory also described CVE-2020-3811 and CVE-2020-3812 in the Debian-packaged qmail-verify component.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.