Vulnerability DatabaseCVE-2021-3657

CVE-2021-3657:
NixOS vulnerability analysis and mitigation

Overview

A vulnerability (CVE-2021-3657) was discovered in mbsync versions prior to 1.4.4, which is part of the isync mail synchronization software. The vulnerability stems from inadequate handling of extremely large (>=2GiB) IMAP literals, which could be exploited by malicious or compromised IMAP servers, and potentially even external email senders (Openwall, RedHat Bugzilla).

Technical details

The vulnerability is characterized by multiple buffer overflows that occur due to improper handling of IMAP literals larger than or equal to 2GiB in size. The severity of this vulnerability is classified as high, as indicated by the RedHat Bugzilla report (RedHat Bugzilla).

Impact

The vulnerability could potentially lead to remote code execution if successfully exploited. This impact is particularly significant in scenarios where attackers can control an IMAP server (Debian LTS).

Mitigation and workarounds

The primary mitigation is to upgrade to isync version 1.4.4 or later. For systems unable to upgrade immediately, patches were provided for both the 1.4.x and 1.3.x series, though it's noted that no further upstream releases will be made for the 1.3.x branch (Openwall, Gentoo Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

9.8

Score

Published February 18, 2022

Severity CRITICAL

CNA Score N/A

Affected Technologies

NixOS
Homebrew

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 91

Exploitation Probability (EPSS) 6.8

Affected packages and libraries

isync-debugsource
net-mail/isync

Sources

NVD
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12 Severity CRITICALHas FixAdded at: Nov 18, 2025
- Alpine 3.13, 3.14 Severity CRITICALHas FixAdded at: Dec 03, 2023
- Alpine 3.15 Severity CRITICALHas FixAdded at: Apr 26, 2022
- Alpine 3.16 Severity CRITICALHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity CRITICALHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity CRITICALHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity CRITICALHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity CRITICALHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
- Alpine 3.23 Severity CRITICALHas FixAdded at: Dec 04, 2025
- Alpine edge Severity CRITICALHas FixAdded at: Jun 19, 2023
Debian Security Tracker
- Debian 9, 10 Severity CRITICALHas FixAdded at: Mar 28, 2022
- Debian 11 Severity CRITICALHas FixAdded at: Dec 18, 2021
- Debian 12 Severity CRITICALHas FixAdded at: Dec 05, 2021
- Debian 13 Severity CRITICALHas FixAdded at: Jun 11, 2023
- Debian 14 Severity CRITICALHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity CRITICALHas FixAdded at: Nov 18, 2025
Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Aug 11, 2022
Homebrew
- Homebrew Severity CRITICALHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity CRITICALHas FixAdded at: Nov 01, 2023
Ubuntu Security Tracker
- Ubuntu 18.04, 20.04 Severity MEDIUMNo FixAdded at: Dec 04, 2021
- Ubuntu 22.04 Severity MEDIUMNo FixAdded at: Nov 01, 2022
- Ubuntu 24.04 Severity MEDIUMNo FixAdded at: May 06, 2024
- Ubuntu 24.10 Severity MEDIUMNo FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity MEDIUMNo FixAdded at: May 08, 2025
- Ubuntu 25.10 Severity MEDIUMNo FixAdded at: Oct 13, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related NixOS vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-14330	CRITICAL	9.8	NixOS	cpe:2.3:a:mozilla:firefox	No	Yes	Dec 09, 2025
CVE-2025-14329	HIGH	8.8	NixOS	firefox-x11	No	Yes	Dec 09, 2025
CVE-2025-14333	HIGH	8.1	NixOS	firefox-x11	No	Yes	Dec 09, 2025
CVE-2025-14332	HIGH	7.3	NixOS	cpe:2.3:a:mozilla:firefox	No	Yes	Dec 09, 2025
CVE-2025-14331	MEDIUM	6.5	NixOS	firefox	No	Yes	Dec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-3657: NixOS vulnerability analysis and mitigation